On 02/21/2017 03:23 PM, Rob Crittenden wrote:
> Standa Laznicka wrote:
>> Hello,
>> Since we're trying to make FreeIPA work in FIPS we got to the point
>> where we need to do something with MD5 fingerprints in the cert plugin.
>> Eventually we came to a realization that it'd be best to get rid of them
>> as a whole. These are counted by the framework and are not stored
>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints
>> are also counted and those are there to stay.
>> The question for this ML is, then - is it OK to remove these or would
>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
>> grandpa and I think it should go.
> I based the values displayed on what certutil displayed at the time (7
> years ago). I don't know that anyone uses these fingerprints. The
> OpenSSL equivalent doesn't include them by default.
> You may be able to deprecate fingerprints altogether.
> rob
I think it's useful to display the certificate's fingerprint. I'm in
favor of removing md5 and adding sha256 instead.

Tomas Krizek

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to