As a partial answer to this, work has been ongoing to fully support ECC in Dogtag. Attached is a most likely out-of-date wiki page detailing ECC support in Dogtag.
https://pki.fedoraproject.org/wiki/ECC_in_Dogtag If I recall correctly, we are somewhere around phase 3. Ade On Fri, 2013-09-20 at 11:48 -0400, Dmitri Pal wrote: > On 09/18/2013 01:53 PM, mees virk wrote: > > I do not have a valid support contract, or other contracts with > > RedHat. Doesn't that stop me from opening proper RFE ticket? > > > > In any case, my interest was this time solely for evaluation > > purposes. If I were actively choosing an integrated identity > > management product, I might not choose Freeipa because it takes the > > longevity of the product and the development stance (lack of > > roadmap?) into question. > > > > I wonder where the lack of roadmap came from? > http://www.freeipa.org/page/Roadmap > So the trac system we use gives a good view of the dynamics of the > project > https://fedorahosted.org/freeipa/roadmap > > However IMO disconnect in expectations is that support of the ECC is > not exactly FreeIPA's problem (yet). > It needs to be implemented by the lower levels of the stack first: > NSS, Dogtag etc. > We have plans for support of the certs for users and we understand > that RSA becomes outdated. > Your RFE would allow us to track your specific requirements and > interest (and make it our problem). > > Right now the position is that: let the underlying components grow ECC > suppoirt and consume this functionality in FreeIPA when it matures. > Filing an RFE would change this dynamics and would signal us that > there is interest in the community in the actual end point solution, > i.e. FreeIPA supporting ECC. > > Thanks! > > > > > RSA is slowly getting into slippery slope, because it really isn't > > about what it's worth today. When you protect something with a > > cryptographic algorithm you have to take account for how long > > certain types of data will be stored, and factor that time frame in. > > Increasing the key sizes will not be solution, because several > > embedded devices such as VPN products, smartcards and RFID devices > > will start failing pretty fast after 1024-2048 bit keys. > > > > ECC was designed to solve some of these issues; it's important > > development not mostly because of security today but because it will > > scale better up (it was designed to be implementable better on > > hardware), and the key sizes start from nicer point of security vs > > size. So it's the feature that would future proof the CA. At this > > moment there is available ECC support on some products on all the > > areas such as smart cards, so the products not having that option > > out of the box will start basically losing in the competition. > > > > I'm not trying to make a technical point here (if I made some minor > > error there, sorry) but a managerial, and from product management > > viewpoint. ECC must be on the feature set, or the CA features will > > be discarded in the future by potential users. That means the > > Freeipa as a whole might not be selected for some projects. Plus, it > > doesn't really hurt having ECC in. :) > > > > > > ____________________________________________________________________ > > > > > > > > IPA uses NSS, NSS support of ECC algorithms is very fresh, we have > > not looked at this area yet. > > I suspect it would require changes in Dogtag first. > > > > Would be best if you can file and RFE ticket, then we would be able > > to follow up. > > > > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
