Issue #6663 has been updated by Mark Stanislav.
There will of course be a trade-off for security versus performance, which is why being reasonable about strength used should be also considered. 2048 bit RSA keys are 'good' until ~2030 at this time (according to NIST). Considering a default CA cert is five years for Puppet, this is a very reasonable way to go. There shouldn't be a compatibility issue to solve unless there's some interesting crypto voodoo occurring in Puppet ;) I really don't know of any reason to implement MD5 at all. It *is* broken and we do have better algorithms to implement. Even if SHA-1 is on its last leg, it's still a step-up. SHA-256 is preferred, though. Again, a great discussion to be having and very forward thinking. ---------------------------------------- Bug #6663: puppet.conf says keylength defaults to 1024 -- should be 2048 https://projects.puppetlabs.com/issues/6663 Author: micah - Status: Investigating Priority: Normal Assignee: micah - Category: SSL Target version: Affected Puppet version: Keywords: Branch: puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. It should default to 2048, not 1024, there are a number of reasons for this: * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now... You might argue that this is a feature request, but I would like to pre-empt that argument. Now that we are well beyond the NIST recommendation, this is a bug now days. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
