Issue #6663 has been updated by Nigel Kersten.
micah - wrote: > Nigel Kersten wrote: > > ping? > > oh hi. > > To be honest, I dont understand the workflow here. The last time I subscribed > was to start a community thread about #5604, which I did do, and some people > responded, but I dont understand how this flows back into the issue itself. > I'm sure this is somehow my fault, but I dont really understand what I'm > supposed to do and now that issue, annoying as it is for debian users, is > stagnating and I'm not sure what to do about it. I'm a little hesitant to end > up causing that with this issue, becuase I'm not sure how I should handle it. I'll follow that up now. It is difficult, and I welcome suggestions for how to improve it. Sometimes I just don't feel like I have enough information about the potential impact of a change on our community, and it's good to at least seek feedback, as I don't want to be too prescriptive when I'm lacking insight. I've been behind on ticket gardening, but usually I follow up from the thread and update the ticket. > also, just a side note, please assign tickets to me if you want me to respond > :) erk. sorry. ---------------------------------------- Bug #6663: puppet.conf says keylength defaults to 1024 -- should be 2048 https://projects.puppetlabs.com/issues/6663 Author: micah - Status: Investigating Priority: Normal Assignee: micah - Category: SSL Target version: Affected Puppet version: Keywords: Branch: puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. It should default to 2048, not 1024, there are a number of reasons for this: * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now... You might argue that this is a feature request, but I would like to pre-empt that argument. Now that we are well beyond the NIST recommendation, this is a bug now days. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
