On Feb 27, 2014 8:25 AM, "Jaroslav Reznik" <jrez...@redhat.com> wrote: > > = Proposed System Wide Change: System-wide crypto policy = > https://fedoraproject.org/wiki/Changes/CryptoPolicy
> == Detailed Description == > The idea is to have some predefined security levels such as LEVEL-80, > LEVEL-128, LEVEL-256, > or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the > security levels > that the administrator of the system will be able to configure by modifying > /usr/lib/crypto-profiles/config > /etc/crypto-profiles/config > > and being applied after executing update-crypto-profiles. > (Note: it would be better to have a daemon that watches those files and > runs update-crypto-profiles automatically) > > After that the administrator should be assured that any application > that uses the system settings will follow a policy that adheres to > the configured profile. > > Ideally setting a profile should be setting: > * the acceptable TLS/SSL (and DTLS) versions > * the acceptable ciphersuites and the preferred order > * acceptable parameters in certificates and key exchange, i.e.: > ** the minimum acceptable size of parameters (DH,ECDH,RSA,DSA,ECDSA) > ** the acceptable elliptic curves (ECDH,ECDSA) > ** the acceptable signature hash functions > * other TLS options such as: > ** safe renegotiation > Does this configuration limit the algorithms that are available or only the options that can be given to those algorithms or only the default values of those algorithms? -Toshio
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct