Nikos Mavrogiannopoulos (nmav@xxxxxxxxxx) said: > On Thu, 2014-02-27 at 11:52 -0500, Bill Nottingham wrote: > > > == Detailed Description == > > > The idea is to have some predefined security levels such as LEVEL-80, > > > LEVEL-128, LEVEL-256, > > > or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the > > > security levels > > > that the administrator of the system will be able to configure by modifying > > > /usr/lib/crypto-profiles/config > > > /etc/crypto-profiles/config > > > and being applied after executing update-crypto-profiles. > > > (Note: it would be better to have a daemon that watches those files and > > > runs update-crypto-profiles automatically) > > How is an admin supposed to know what levels such as the above are, and why > > they might choose a particular one? > > They will be documented. They could be part of the configuration file > that be edited. The policies above are a indicative, so if there are > suggestions they will be considered. Well, even if they're documented, I don't know if they're particularly meaningful items. For example although I 'know' what SUITEB might refer to, it still amounts to 'a set of algorithms the NSA deems sufficient'; it does not give me any meaningful knowledge to compare it to other settings. And for all I know I'm aobve the curve on understanding what some of these are; your typical administrator is likely to know even less. If they're merely described in terms of what they represent - is it going to make the choice clearer, or not? i.e., how do ensure that the configuration choices are meaningful and explicable to the administrators such they can make an informed decision outside of "I checked the SUITEB-256 box because that's what the standard 243213 chapter 33 subsection 24 sentence 1 says". Bill -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
