On 02/21/2017 03:23 PM, Rob Crittenden wrote: > Standa Laznicka wrote: >> Hello, >> >> Since we're trying to make FreeIPA work in FIPS we got to the point >> where we need to do something with MD5 fingerprints in the cert plugin. >> Eventually we came to a realization that it'd be best to get rid of them >> as a whole. These are counted by the framework and are not stored >> anywhere. Note that alongside with these fingerprints SHA1 fingerprints >> are also counted and those are there to stay. >> >> The question for this ML is, then - is it OK to remove these or would >> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a >> grandpa and I think it should go. > I based the values displayed on what certutil displayed at the time (7 > years ago). I don't know that anyone uses these fingerprints. The > OpenSSL equivalent doesn't include them by default. > > You may be able to deprecate fingerprints altogether. > > rob I think it's useful to display the certificate's fingerprint. I'm in favor of removing md5 and adding sha256 instead.
-- Tomas Krizek
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code