Issue #6663 has been updated by Daniel Pittman.
I am strongly of the view that we should follow the most restrictive of the current sets of government advice (eg: BSI, NSA/NIST, etc) and advice from the experts in the field. If this requires addressing the question of how to achieve compatibility then we had better solve this, before someone genuinely breaks MD5, or RSA, or whatever in a way that matters to us, and we end up in more serious trouble: having to solve this in zero time, rather than with the relatively luxury of time. Larger keys, better hashing (probably by adding them as well as md5, rather than just replacing it, etc.) (Oh, and we absolutely have the capabilities to inspect the client version and make intelligent decisions about what we ship in terms of checksums, etc, as part of our compatibility story. As long as the master leads the agent in version we should be fine.) ---------------------------------------- Bug #6663: puppet.conf says keylength defaults to 1024 -- should be 2048 https://projects.puppetlabs.com/issues/6663 Author: micah - Status: Investigating Priority: Normal Assignee: micah - Category: SSL Target version: Affected Puppet version: Keywords: Branch: puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. It should default to 2048, not 1024, there are a number of reasons for this: * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now... You might argue that this is a feature request, but I would like to pre-empt that argument. Now that we are well beyond the NIST recommendation, this is a bug now days. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
