yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #04271
[Bug 1103002] Re: Harden default PKI setup
** Changed in: python-keystoneclient
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1103002
Title:
Harden default PKI setup
Status in OpenStack Identity (Keystone):
Fix Released
Status in Python client library for Keystone:
Fix Released
Bug description:
keystone-manage pki_setup is a handy tool to quickly setup a default
SSL public/private key pair for an initial test setup of OpenStack
Keystone. Unfortunately it hardcodes defaults that are meanwhile
considered less secure.
I understand that this is an example setup, but given that users are
likely going to (re-) use the configuration defaults for their
production setup, I think we should advertise good defaults instead of
weak ones.
According to http://securitymusings.com/article/1587/algorithm-and-
key-length-deprecation
The following keylengths are deprecated:
Hashing: 160-bit SHA-1 (note: MD4/MD5 was never an “acceptable algorithm” to the government, and should already be deprecated)
Signatures: 1024-bit DSA, 1024-bit RSA, 160-bit ECDSA
Encryption: 80/112-bit 2TDEA (two key triple DES)
When are they deprecated?
Hashing: for all hashes generated after 12/31/2010
Signatures: for all signatures generated after 12/31/2010
Encryption: for any information that needs to remain confidential after 12/31/2010
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1103002/+subscriptions