[Yahoo-eng-team] [Bug 1504598] [NEW] sha1 fingerprint for x509 keypair

Fri, 09 Oct 2015 09:11:22 -0700 

Public bug reported:

Liberty is using sha1 to calculate the fingerprint returned by os-keypairs REST 
API calls when the key type is x509. Unlike ssh, there is no standard hash 
algorithm that should necessarily be used for X.509, which makes it necessary 
to clarify what hash was used. There is also concern in simply documenting that 
this is sha1 and moving on... SHA-1 is known to be flawed and everyone is 
moving away from it. E.g. in Mozilla you will now see both SHA-1 and SHA-256 
fingerprints when you view a certificate, and they will eventually stop showing 
SHA-1. The nova API should be thinking forward and
1. allow the admin to configure one or more algorithms to use for x.509 
fingerprints (as noted, browsers will generally display at least 2).
2. be clear in what hash algorithms are used, both in documentation and (for 
client's sake) in the response.

Found in Liberty.

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1504598

Title:
  sha1 fingerprint for x509 keypair

Status in OpenStack Compute (nova):
  New

Bug description:
  Liberty is using sha1 to calculate the fingerprint returned by os-keypairs 
REST API calls when the key type is x509. Unlike ssh, there is no standard hash 
algorithm that should necessarily be used for X.509, which makes it necessary 
to clarify what hash was used. There is also concern in simply documenting that 
this is sha1 and moving on... SHA-1 is known to be flawed and everyone is 
moving away from it. E.g. in Mozilla you will now see both SHA-1 and SHA-256 
fingerprints when you view a certificate, and they will eventually stop showing 
SHA-1. The nova API should be thinking forward and
  1. allow the admin to configure one or more algorithms to use for x.509 
fingerprints (as noted, browsers will generally display at least 2).
  2. be clear in what hash algorithms are used, both in documentation and (for 
client's sake) in the response.

  Found in Liberty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1504598/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to