On Tue, 2014-03-04 at 17:19 +0100, Miloslav Trmač wrote:
2014-02-27 17:22 GMT+01:00 Jaroslav Reznik
<jreznik(a)redhat.com>:
= Proposed System Wide Change: System-wide crypto policy =
https://fedoraproject.org/wiki/Changes/CryptoPolicy
Unify the crypto policies used by different applications and
libraries.
Is this for TLS only? The description suggest this, but it's not
explicit.
I've made it explicit, thanks.
The above proposed levels broadly make sense (taking 80/128/256 as a
"nice round numbers" that stand for detailed strenghts), we would
probably want to explicitly document the semantics (Is the semantics
of a level fixed forever or will it be updated? Will we remove a weak
cipher from an existing level (ever / during a single Fedora release)?
Will we add a cipher to alevel (ever / during a single Fedora
release?).
Would that be required to be part of the fedora change? I'd prefer if
the semantics are not fixed before the actual levels are fixed.
* Proposal owners: For GnuTLS and OpenSSL the
"SYSTEM" cipher
needs to be
understood and behave as described. For NSS the
NSS_SetDomesticPolicy() can be
overloaded to behave as above.
Please update the NSS part with the current proposal (based on our
discussion).
Updated.
* Other developers: Packages that use SSL crypto libraries
should, after the
previous change is complete, start replacing the default
cipher strings with
SYSTEM.
How can we find out which packages would be affected? Anything that
requires the library, or only users that refer to a specific symbol?
I've updated the text. The idea is to start with a small set of packages
using the new method in F21 and increase gradually.
What about packages that currently don't explicitly set any
policy
string (i.e. packages that probably don't care too much about the
specifics)? Would this mean adding a call to use "SYSTEM" to these
packages, or would we change the semantics of the API to use "SYSTEM"
by default?
I think that we should change the semantics of the API to use the SYSTEM
by default. I've updated the text to reflect that.
regards,
Nikos