I was concerned that changing the default KDF for existing Ubuntu 22.04 users for FIPS reasons seemed inappropriate because some users might object to that if (depending on their security perspective and who they trust) they consider PBKDF2 to be a KDF downgrade. I appreciate that upstream changed to PBKDF2 and this is present in newer Ubuntu releases, but that doesn't mean that users expect the change to be backported for FIPS reasons. On the other hand the OOM might be a reason to change it in an SRU, but I'm not aware that we have any reports of Ubuntu users being affected by that.
I concluded with Tobias and Ghadi that it would be preferred for the KDF to default to PBKDF2 only if FIPS is enabled. That can be done either by putting this in the FIPS archives only, or in an SRU to the main archive with a runtime conditional on FIPS being enabled. Tobias prefers to do this in an SRU to the main archive, so Ghadi will amend the upload to do this. This was an SRU review of the justification only - I haven't done any code review yet. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073429 Title: Jammy clevis forces argon2id for keyslots To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/2073429/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
