Re: [Freeipa-users] Elliptic curves with the CA

2013-09-18 Thread mees virk 
I do not have a valid support contract, or other contracts with RedHat. Doesn't 
that stop me from opening proper RFE ticket?

In any case, my interest was this time solely for evaluation purposes. If I 
were actively choosing an integrated identity management product, I might not 
choose Freeipa because it takes the longevity of the product and the 
development stance (lack of roadmap?) into question.

RSA is slowly getting into slippery slope, because it really isn't about what 
it's worth today. When you protect something with a cryptographic algorithm you 
have to take account for how long certain types of data will be stored, and 
factor that time frame in. Increasing the key sizes will not be solution, 
because several embedded devices such as VPN products, smartcards and RFID 
devices will start failing pretty fast after 1024-2048 bit keys. 

ECC was designed to solve some of these issues; it's important development not 
mostly because of security today but because it will scale better up (it was 
designed to be implementable better on hardware), and the key sizes start from 
nicer point of security vs size. So it's the feature that would future proof 
the CA. At this moment there is available ECC support on some products on all 
the areas such as smart cards, so the products not having that option out of 
the box will start basically losing in the competition.

I'm not trying to make a technical point here (if I made some minor error 
there, sorry) but a managerial, and from product management viewpoint. ECC must 
be on the feature set, or the CA features will be discarded in the future by 
potential users. That means the Freeipa as a whole might not be selected for 
some projects. Plus, it doesn't really hurt having ECC in. :)


 

IPA uses NSS, NSS support of ECC algorithms is very fresh, we have
not looked at this area yet.

I suspect it would require changes in Dogtag first.



Would be best if you can file and RFE ticket, then we would be able
to follow up.




   
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Elliptic curves with the CA

2013-09-16 Thread mees virk 
Hello all,

 

Is it possible to setup the FreeIPA's CA use ECC cryptographic methods (ECDSA & 
co)  instead of RSA? That includes generating ECC CA certificates, and so on.

 

I don't think I was given any option towards this in the default installation 
process. Would appreciate instructions and/or pointers towards this. 

 

Also, can the default generated RSA CA switched later to ECC/ECDSA?

 

Why doesn't the CA allow cross-signing (RSA/ECDSA hybrid keychains) 
certificates? It seems to validate the types, although it is not strictly 
forbidden as crypthographic practice (mostly just inconvenient, but it's 
legal). I gave the CA ECC CSR (generated by openSSL on one of the servers), and 
to my amazement it failed to sign it properly complaining about the type not 
being RSA.

 
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users