On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote: > On 02/21/2017 04:24 PM, Tomas Krizek wrote: > > On 02/21/2017 03:23 PM, Rob Crittenden wrote: > > > Standa Laznicka wrote: > > > > Hello, > > > > > > > > Since we're trying to make FreeIPA work in FIPS we got to the point > > > > where we need to do something with MD5 fingerprints in the cert plugin. > > > > Eventually we came to a realization that it'd be best to get rid of them > > > > as a whole. These are counted by the framework and are not stored > > > > anywhere. Note that alongside with these fingerprints SHA1 fingerprints > > > > are also counted and those are there to stay. > > > > > > > > The question for this ML is, then - is it OK to remove these or would > > > > you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a > > > > grandpa and I think it should go. > > > I based the values displayed on what certutil displayed at the time (7 > > > years ago). I don't know that anyone uses these fingerprints. The > > > OpenSSL equivalent doesn't include them by default. > > > > > > You may be able to deprecate fingerprints altogether. > > > > > > rob > > I think it's useful to display the certificate's fingerprint. I'm in > > favor of removing md5 and adding sha256 instead. > > > Rob, thank you for sharing the information of where the cert fingerprints > are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays > SHA-256 and SHA1 fingerprints for certificates so I propose going that way > too. > IMO we should remove MD5 and SHA-1, and add SHA-256. But we should also make no API stability guarantee w.r.t. the fingerprint attributes, i.e. to allow us to move to newer digests in future (and remove broken/no-longer-secure ones). We should advise that if a customer has a hard requirement on a particular digest that they should compute it themselves from the certificate.
Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code