yahoo-eng-team team mailing list archive

[Brant Knudson <bknudson@xxxxxxxxxx>]

Public bug reported:

The digest algorithm for PKI tokens is the openssl default of sha1. This
is a weak algorithm and some security standards require a stronger
algorithm such as sha256. Keystone should make the token digest hash
algorithm configurable so that deployments can use a stronger algorithm.

Also, the default could be stronger.

** Affects: keystone
     Importance: Undecided
     Assignee: Brant Knudson (blk-u)
         Status: New

** Affects: python-keystoneclient
     Importance: Undecided
     Assignee: Brant Knudson (blk-u)
         Status: New

** Also affects: python-keystoneclient
   Importance: Undecided
       Status: New

** Changed in: keystone
     Assignee: (unassigned) => Brant Knudson (blk-u)

** Changed in: python-keystoneclient
     Assignee: (unassigned) => Brant Knudson (blk-u)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1362343

Title:
  weak digest algorithm for PKI

Status in OpenStack Identity (Keystone):
  New
Status in Python client library for Keystone:
  New

Bug description:
  The digest algorithm for PKI tokens is the openssl default of sha1.
  This is a weak algorithm and some security standards require a
  stronger algorithm such as sha256. Keystone should make the token
  digest hash algorithm configurable so that deployments can use a
  stronger algorithm.

  Also, the default could be stronger.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1362343/+subscriptions