Re: F21 System Wide Change: System-wide crypto policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2014-03-04 at 17:19 +0100, Miloslav Trmač wrote:
> 2014-02-27 17:22 GMT+01:00 Jaroslav Reznik <jreznik@xxxxxxxxxx>:
>         = Proposed System Wide Change: System-wide crypto policy =
>         https://fedoraproject.org/wiki/Changes/CryptoPolicy
>         
>         Unify the crypto policies used by different applications and
>         libraries.
> Is this for TLS only?  The description suggest this, but it's not
> explicit. 

I've made it explicit, thanks.


> The above proposed levels broadly make sense (taking 80/128/256 as a
> "nice round numbers" that stand for detailed strenghts), we would
> probably want to explicitly document the semantics (Is the semantics
> of a level fixed forever or will it be updated?  Will we remove a weak
> cipher from an existing level (ever / during a single Fedora release)?
> Will we add a cipher to alevel (ever / during a single Fedora
> release?).

Would that be required to be part of the fedora change? I'd prefer if
the semantics are not fixed before the actual levels are fixed.
 
>         * Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher
>         needs to be
>         understood and behave as described. For NSS the
>         NSS_SetDomesticPolicy() can be
>         overloaded to behave as above.
> Please update the NSS part with the current proposal (based on our 
> discussion).
 
Updated.

>         * Other developers: Packages that use SSL crypto libraries
>         should, after the
>         previous change is complete, start replacing the default
>         cipher strings with
>         SYSTEM.
> How can we find out which packages would be affected?  Anything that
> requires the library, or only users that refer to a specific symbol?

I've updated the text. The idea is to start with a small set of packages
using the new method in F21 and increase gradually.

> What about packages that currently don't explicitly set any policy
> string (i.e. packages that probably don't care too much about the
> specifics)?  Would this mean adding a call to use "SYSTEM" to these
> packages, or would we change the semantics of the API to use "SYSTEM"
> by default?

I think that we should change the semantics of the API to use the SYSTEM
by default. I've updated the text to reflect that.

regards,
Nikos



-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux