Standa Laznicka wrote:
> Since we're trying to make FreeIPA work in FIPS we got to the point
> where we need to do something with MD5 fingerprints in the cert plugin.
> Eventually we came to a realization that it'd be best to get rid of them
> as a whole. These are counted by the framework and are not stored
> anywhere. Note that alongside with these fingerprints SHA1 fingerprints
> are also counted and those are there to stay.
> The question for this ML is, then - is it OK to remove these or would
> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
> grandpa and I think it should go.
I based the values displayed on what certutil displayed at the time (7
years ago). I don't know that anyone uses these fingerprints. The
OpenSSL equivalent doesn't include them by default.
You may be able to deprecate fingerprints altogether.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code