← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1103002] Re: Harden default PKI setup

 

** Changed in: python-keystoneclient
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1103002

Title:
  Harden default PKI setup

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Python client library for Keystone:
  Fix Released

Bug description:
  keystone-manage pki_setup is a handy tool to quickly setup a default
  SSL public/private key pair for an initial test setup of OpenStack
  Keystone. Unfortunately it hardcodes defaults that are meanwhile
  considered less secure.

  I understand that this is an example setup, but given that users are
  likely going to (re-) use the configuration defaults for their
  production setup, I think we should advertise good defaults instead of
  weak ones.

  According to http://securitymusings.com/article/1587/algorithm-and-
  key-length-deprecation

  The following keylengths are deprecated:

  Hashing: 160-bit SHA-1 (note: MD4/MD5 was never an “acceptable algorithm” to the government, and should already be deprecated)
  Signatures: 1024-bit DSA, 1024-bit RSA, 160-bit ECDSA
  Encryption: 80/112-bit 2TDEA (two key triple DES)

  When are they deprecated?

  Hashing: for all hashes generated after 12/31/2010
  Signatures: for all signatures generated after 12/31/2010
  Encryption: for any information that needs to remain confidential after 12/31/2010

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1103002/+subscriptions