Issue #6663 has been updated by Patrick Mohr.
I'm curious why the priority on this was dropped. People have said advantages for it, but I have yet to hear a problem. This is also security related, and leaving this in, is a tacit statement from Puppet Labs that 1024 bits is safe enough about 6 years from now. (That's 5 years for the cert to expire, and 1 year for the patch to get written, released, and sent downstream to the faster updating repositories) Do we really want to recommend users keep using this 8 years (2012+6 years) after the NIST recommends we stop, considering that the ability to force a cert will basically invalidate the whole puppet security model?[1] I don't see this as critical, but I also think, this should be urgent. [1] Impersonating any computer, as a client will usually give you access to sensitive information, and allow fact injection that might cause problems other security problems. It also allows anyone who can hijack DNS or do a man-in-the-middle attack to gain root access to most puppet clients. ---------------------------------------- Bug #6663: puppet.conf says keylength defaults to 1024 -- should be 2048 https://projects.puppetlabs.com/issues/6663 Author: micah - Status: Accepted Priority: Normal Assignee: Category: SSL Target version: 2.7.x Affected Puppet version: Keywords: Branch: https://github.com/jamtur01/puppet/commit/b929aa19330bab42421190e60099ac2406f975c3 puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. It should default to 2048, not 1024, there are a number of reasons for this: * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now... You might argue that this is a feature request, but I would like to pre-empt that argument. Now that we are well beyond the NIST recommendation, this is a bug now days. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
