On Fri, May 20, 2011 at 5:39 AM, Mark Stanislav <mark.stanis...@gmail.com>wrote:
> Hi Micah, > > In short, I'm in agreement with you. With the CA which is defaulted to 5 > years (not at all surprising) there's no doubt that soon (maybe 2.7 is a > good time?) that 2048 key size should be used for at least the CA key, if > not default for client key generation as well. Secondly, yes, I don't know > why MD5 would be the hashing algorithm of choice in this case either. > > As I recall last year, most major root CAs went to 2048 last year to not > anger the NIST recommendation. > We will do this for 2.7.x unless we get major pushback from the community. > > -Mark > > On May 19, 2011, at 11:07 PM, Micah Anderson wrote: > > > > > Hi all, > > > > I would like to start a discussion about changing the default key length > > From 1024 bits to 2048, and am interested to know if this might cause > > any issues for people. > > > > puppet.conf(5) says that the keylength parameter defaults to 1024 bits > > for new RSA keys. > > > > There are many reasons why 1024bits is just not good enough now days: > > > > . many free software crypto tools are defaulting to 2048-bit keys now > > (e.g. OpenSSH, GnuPG) > > > > . NIST has recommended avoiding reliance on 1024-bit keys after the end > > of 2010 > > > > you can compare other comparable standards at http://keylength.com/ > > > > Considering that generated certificates are expected to be around for at > > least the lifetime of the server itself, setting a reasonable bit-length > > key from the beginning is pretty important, especially if the server > > might be expected to be around for some years from now… > > > > Not only is the default keylength for the CA 1024 bits, the default hash > > is MD5. > > > > The german BSI1 produces a yearly document[0] that defines which > > algorithms should be save for usage over the next five years. This > > document rules out MD5, SHA-1 and RIPEMD-160 for hashing and key sizes < > > 1976 bits for RSA keys right now. > > > > Now that we are well beyond the NIST recommendation, this seems to be a > > bug, and I filed it as such[1]. However, I'm throwing this out there to > > see if this might be an issue for anyone, such as on older > > distributions. > > > > discuss! > > micah > > > > > > 0. > http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFile/10008/2011AlgoKatpdf.pdf > > 0. https://projects.puppetlabs.com/issues/6663 > > > > > > -- > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.