Standa Laznicka wrote:
> Hello,
> 
> Since we're trying to make FreeIPA work in FIPS we got to the point
> where we need to do something with MD5 fingerprints in the cert plugin.
> Eventually we came to a realization that it'd be best to get rid of them
> as a whole. These are counted by the framework and are not stored
> anywhere. Note that alongside with these fingerprints SHA1 fingerprints
> are also counted and those are there to stay.
> 
> The question for this ML is, then - is it OK to remove these or would
> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
> grandpa and I think it should go.

I based the values displayed on what certutil displayed at the time (7
years ago). I don't know that anyone uses these fingerprints. The
OpenSSL equivalent doesn't include them by default.

You may be able to deprecate fingerprints altogether.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to