On May 24, 2011, at 1:50 PM, Daniel Pittman wrote: > On Tue, May 24, 2011 at 06:36, Mark Stanislav <mark.stanis...@gmail.com> > wrote: >> On May 24, 2011, at 1:38 AM, Daniel Pittman wrote: >>> On Fri, May 20, 2011 at 08:23, Nigel Kersten <ni...@puppetlabs.com> wrote: >>>> On Fri, May 20, 2011 at 5:39 AM, Mark Stanislav <mark.stanis...@gmail.com> >>>> wrote: > […] >>> Larger keys, better hashing (probably by adding them as well as md5, >>> rather than just replacing it, etc.) >> >> I really don't know of any reason to implement MD5 at all. It *is* broken >> and we do have better algorithms to implement. Even if SHA-1 is on its last >> leg, it's still a step-up. SHA-256 is preferred, though. > > Ah. We have a policy of supporting at least two major versions back, > and would generally prefer not to have to go and patch all the 2.6 and > 2.7 releases out there when 2.8 moves to a more secure hash. (...or > 0.25 and 2.6 when 2.7 adds it. ;)
I don't think there should be a compat issue with regard to certificates as that would be relevant to SSL libraries which should have fully supported those algorithms for years. I could also be entirely wrong so feel free to let me know as I'm speaking from a basic crypto perspective and not with respect to Puppet directly. > > So, it isn't a requirement for any reason other than our desire not to > make more work for ourselves than we need to; it would also be good to > get into a mode where we are good at changing the hash; SHA > derivatives won't last forever either. NIST is working on the AHS candidates still and the timeline pushes it out until 2013 to likely 'implement' it as a new standard (at least formally). SHA 256/384/512 are going to be plenty sustainable for this time period and the foreseeable future. -Mark > > Regards, > Daniel > -- > ⎋ Puppet Labs Developer – http://puppetlabs.com > ✉ Daniel Pittman <dan...@puppetlabs.com> > ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 > ♲ Made with 100 percent post-consumer electrons > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.