2014-02-27 17:22 GMT+01:00 Jaroslav Reznik <jreznik@xxxxxxxxxx>:
The above proposed levels broadly make sense (taking 80/128/256 as a "nice round numbers" that stand for detailed strenghts), we would probably want to explicitly document the semantics (Is the semantics of a level fixed forever or will it be updated? Will we remove a weak cipher from an existing level (ever / during a single Fedora release)? Will we add a cipher to alevel (ever / during a single Fedora release?).
= Proposed System Wide Change: System-wide crypto policy =
https://fedoraproject.org/wiki/Changes/CryptoPolicy
Unify the crypto policies used by different applications and libraries.
Is this for TLS only? The description suggest this, but it's not explicit.
== Detailed Description ==
The idea is to have some predefined security levels such as LEVEL-80,
LEVEL-128, LEVEL-256,
or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256.
The difficult-to-coordinate work is updating the application-sid, so as long as the API doesn't change, changing the predefined security levels is something that needs to be done within a single package only, i.e. comparatively easier, so I'm not too concerned about the particular choices.
I do think we need a single, clear "Fedora recommended default". Beyond that, we need some flexibility, but it's far too easy to start asking for too many options, and to get deep into bikeshedding.The above proposed levels broadly make sense (taking 80/128/256 as a "nice round numbers" that stand for detailed strenghts), we would probably want to explicitly document the semantics (Is the semantics of a level fixed forever or will it be updated? Will we remove a weak cipher from an existing level (ever / during a single Fedora release)? Will we add a cipher to alevel (ever / during a single Fedora release?).
* Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be
understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be
overloaded to behave as above.
Please update the NSS part with the current proposal (based on our discussion).
* Other developers: Packages that use SSL crypto libraries should, after the
previous change is complete, start replacing the default cipher strings with
SYSTEM.
How can we find out which packages would be affected? Anything that requires the library, or only users that refer to a specific symbol?
What about packages that currently don't explicitly set any policy string (i.e. packages that probably don't care too much about the specifics)? Would this mean adding a call to use "SYSTEM" to these packages, or would we change the semantics of the API to use "SYSTEM" by default?
Mirek-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
