Issue #6663 has been updated by micah -.
Not only is the default keylength for the CA 1024 bits, the default hash is MD5. The german BSI[1] produces a yearly document[2] that defines which algorithms should be save for usage over the next five years. This document rules out MD5, SHA-1 and RIPEMD-160 for hashing and key sizes < 1976 bits for RSA keys right now. Please update the default settings to something save for the time of the default TTL (five years). [1]: Bundesamt für Sicherheit in der Informationstechnik [2]: http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFile/10008/2011AlgoKatpdf.pdf ---------------------------------------- Bug #6663: puppet.conf says keylength defaults to 1024 -- should be 2048 https://projects.puppetlabs.com/issues/6663 Author: micah - Status: Investigating Priority: Normal Assignee: Category: SSL Target version: Affected Puppet version: Keywords: Branch: puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. It should default to 2048, not 1024, there are a number of reasons for this: * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now... You might argue that this is a feature request, but I would like to pre-empt that argument. Now that we are well beyond the NIST recommendation, this is a bug now days. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
