Stephen Smoogen wrote:
> Basically the problem is that several checksums and types of keys are
> considered highly insecure and will cause problems for large numbers of
> users who have systems which need to meet general security rules in
> various industries. These include the SHA1 and DSA encryption keys and
> there are requirements that operating systems no longer ship these as
> enabled for the operating system to be used in universities, health care,
> etc. Where in the past these sorts of things have been 'given' a long time
> for removal (aka the 10+ years for MD5), my understanding is that these
> are being pushed much faster and harder than before.
And that is exactly what we are complaining about. It is not a reasonable
thing to do to break algorithms that are still in widespread use.
> [Mainly in that continued funding from both public and private
> organizations is tied to audits etc.]
Let the auditors complain all they want, they are not real-world users. The
default configuration must work out of the box. Security extremists can
always locally set some absurdly strict rules that will just not work but
make clueless auditors happy. But they must not be the default.
> The push is going to come in several 'waves' with SHA1 and DSA marked as
> bad now and in 1-2 years, SHA256 and RSA keys below 4096. Like most rapid
> changes, there is always going to be a lot of grit in the gears for
> everyone trying to continue working outside of the change :/
That plan is absolutely unworkable and unacceptable.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
