On 24/05/11 19:50, Daniel Pittman wrote: > On Tue, May 24, 2011 at 06:36, Mark Stanislav <mark.stanis...@gmail.com> > wrote: >> On May 24, 2011, at 1:38 AM, Daniel Pittman wrote: >>> On Fri, May 20, 2011 at 08:23, Nigel Kersten <ni...@puppetlabs.com> wrote: >>>> On Fri, May 20, 2011 at 5:39 AM, Mark Stanislav <mark.stanis...@gmail.com> >>>> wrote: > […] >>> Larger keys, better hashing (probably by adding them as well as md5, >>> rather than just replacing it, etc.) >> >> I really don't know of any reason to implement MD5 at all. It *is* broken >> and we do have better algorithms to implement. Even if SHA-1 is on its last >> leg, it's still a step-up. SHA-256 is preferred, though. > > Ah. We have a policy of supporting at least two major versions back, > and would generally prefer not to have to go and patch all the 2.6 and > 2.7 releases out there when 2.8 moves to a more secure hash. (...or > 0.25 and 2.6 when 2.7 adds it. ;)
To my knowledge, Puppet is pretty agnostic regarding certificate content, as everything is handled by the ruby openssl library. I mean even though our full PKI is based on a 2048 bits key with SHA-256, when generating a certificate to a 2.6 or 0.25 client, the client should be able to accept it without code modification (since the whole certificate is not handled by puppet). My question is more what will be the upgrade path from a 1024 bits certificate PKI to a larger one for our users. Note that I think some users will soon have CA that will expire. I don't think we yet have a canned solution for this specific issue. -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
