Re: F21 System Wide Change: System-wide crypto policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jaroslav Reznik (jreznik@xxxxxxxxxx) said: 
> = Proposed System Wide Change: System-wide crypto policy =
> https://fedoraproject.org/wiki/Changes/CryptoPolicy
> 
> Change owner(s): Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx>
> 
> Unify the crypto policies used by different applications and libraries. That is 
> allow setting a consistent security level for crypto on all applications in a 
> Fedora system. 
> 
> == Detailed Description ==
> The idea is to have some predefined security levels such as LEVEL-80, 
> LEVEL-128, LEVEL-256,
> or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the 
> security levels 
> that the administrator of the system will be able to configure by modifying
> /usr/lib/crypto-profiles/config
> /etc/crypto-profiles/config
> 
> and being applied after executing update-crypto-profiles.
> (Note: it would be better to have a daemon that watches those files and
> runs update-crypto-profiles automatically)

How is an admin supposed to know what levels such as the above are, and why
they might choose a particular one?

> * Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be 
> understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be 
> overloaded to behave as above.
> 
> After that a mechanism to specify crypto policies for Fedora has to be 
> devised, as well as the extraction to each libraries' settings.
> 
> * Other developers: Packages that use SSL crypto libraries should, after the 
> previous change is complete, start replacing the default cipher strings with 
> SYSTEM.

This implies a potentially not insignificant local patch load. Am I
misunderstanding it?

Bill
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux