Re: F37 Proposal: Strong crypto settings: phase 3, forewarning 1/2 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, May 2, 2022 at 12:54 PM Kevin P. Fleming <kpfleming@xxxxxxxxxx> wrote:

> In a similar (parallel) discussion related to future RHEL, it has been found this change also breaks resolution of many DNSSEC-secured domains which are still using SHA1 signatures. It is impossible to know how long it will be before those domains upgrade to better signatures, and at the moment it's rather challenging for resolvers to be able to determine that the resolution failure was caused by local policy instead of an actual invalid signature.

It has been some time since I saw a report, but
a few years ago >200 TLDs were using SHA-1.
And while all have been encouraged to change
(ICANN, among others, have been pointing out
that while SHA-1, today, is not entirely broken,
it could end up being some future emergency
deprecation, and when the root itself was signed
it started with SHA-256), change tends to be slow
when the domain administrator wants to be sure
not to break existing usage.

I think you have pointed out an important issue
in that unless the app implements a lot of the
logic to validate the entire chain they are likely
to just break, and not produce useful warnings,
and having (for example) openssl produce the
warnings is differently problematic (to where
should the message go, for example).  There is
really no good answer here, as continuing
to use crypto policies that are known (or should
be known) to be weak is not a good answer
either (heck, there are still apps using des).
Damned if you want to be (more) secure,
damned if you want to be insecure.  I prefer
to be damned for being secure, but I do
understand there are others who prefer
otherwise.

Gary
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux