yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1103002] Re: Harden default PKI setup

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 17 Jul 2013 12:06:06 -0000
Reply-to: Bug 1103002 <1103002@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => havana-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1103002

Title:
  Harden default PKI setup

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Python client library for Keystone:
  In Progress

Bug description:
  keystone-manage pki_setup is a handy tool to quickly setup a default
  SSL public/private key pair for an initial test setup of OpenStack
  Keystone. Unfortunately it hardcodes defaults that are meanwhile
  considered less secure.

  I understand that this is an example setup, but given that users are
  likely going to (re-) use the configuration defaults for their
  production setup, I think we should advertise good defaults instead of
  weak ones.

  According to http://securitymusings.com/article/1587/algorithm-and-
  key-length-deprecation

  The following keylengths are deprecated:

  Hashing: 160-bit SHA-1 (note: MD4/MD5 was never an “acceptable algorithm” to the government, and should already be deprecated)
  Signatures: 1024-bit DSA, 1024-bit RSA, 160-bit ECDSA
  Encryption: 80/112-bit 2TDEA (two key triple DES)

  When are they deprecated?

  Hashing: for all hashes generated after 12/31/2010
  Signatures: for all signatures generated after 12/31/2010
  Encryption: for any information that needs to remain confidential after 12/31/2010

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1103002/+subscriptions