On Tue, May 29, 2012 at 11:38 AM, Marvin S. Addison < marvin.addi...@gmail.com> wrote:
> I'm not sure that it's a good idea to allow deployers to define by >> themselves the key size for AES encryption. It can lead to CAS users >> choosing bad settings in terms of security. >> > > CAS has been very successful with providing sensible defaults while > allowing deployers to modify relevant settings as needed. I think > security policy generally is an area where configuration is warranted. > What if some deployer requires 512-bit AES? Of course deployers could > shoot themselves in the foot, but that's a worthwhile if not requisite > risk. It should be rather trivial to force a minimum if we're concerned about deployers doing something they shouldn't (or even forcing them to explicitly enabling less secure options via some flag). Cheers, Scott > > > Which use cases do you have in mind ? >> > > The case where the deployer doesn't want to use PBE to derive the key > from a passphrase. We've gone out of our way to create a deployment > environment where password-based credentials are avoided. In that view > it would be preferable to generate a key file with a high-quality random > device and reference it on the filesystem via Spring's resource > abstraction. > > In any case, I believe it's sufficient for the short term to simply > default to 128-bit AES and work out the details of ClearPass configuration > at a later date. https://github.com/Jasig/cas/**commit/** > 8e2329bc01cc1b134ccb05f8c2e287**4f20077904<https://github.com/Jasig/cas/commit/8e2329bc01cc1b134ccb05f8c2e2874f20077904>resolves > the original issue you reported. > > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > scott.battag...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-dev<http://www.ja-sig.org/wiki/display/JSG/cas-dev> > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
