On 09/18/2013 11:53 AM, mees virk wrote:
I do not have a valid support contract, or other contracts with
RedHat. Doesn't that stop me from opening proper RFE ticket?
Not at all - https://fedorahosted.org/freeipa/newticket - depending on
what you mean by "proper".
In any case, my interest was this time solely for evaluation purposes.
If I were actively choosing an integrated identity management product,
I might not choose Freeipa because it takes the longevity of the
product and the development stance (lack of roadmap?) into question.
RSA is slowly getting into slippery slope, because it really isn't
about what it's worth today. When you protect something with a
cryptographic algorithm you have to take account for how long certain
types of data will be stored, and factor that time frame in.
Increasing the key sizes will not be solution, because several
embedded devices such as VPN products, smartcards and RFID devices
will start failing pretty fast after 1024-2048 bit keys.
ECC was designed to solve some of these issues; it's important
development not mostly because of security today but because it will
scale better up (it was designed to be implementable better on
hardware), and the key sizes start from nicer point of security vs
size. So it's the feature that would future proof the CA. At this
moment there is available ECC support on some products on all the
areas such as smart cards, so the products not having that option out
of the box will start basically losing in the competition.
I'm not trying to make a technical point here (if I made some minor
error there, sorry) but a managerial, and from product management
viewpoint. ECC must be on the feature set, or the CA features will be
discarded in the future by potential users. That means the Freeipa as
a whole might not be selected for some projects. Plus, it doesn't
really hurt having ECC in. :)
------------------------------------------------------------------------
IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not
looked at this area yet.
I suspect it would require changes in Dogtag first.
Would be best if you can file and RFE ticket, then we would be able to
follow up.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users