yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1504598] [NEW] sha1 fingerprint for x509 keypair

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date: Fri, 09 Oct 2015 16:03:16 -0000
Reply-to: Bug 1504598 <1504598@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Liberty is using sha1 to calculate the fingerprint returned by os-keypairs REST API calls when the key type is x509. Unlike ssh, there is no standard hash algorithm that should necessarily be used for X.509, which makes it necessary to clarify what hash was used. There is also concern in simply documenting that this is sha1 and moving on... SHA-1 is known to be flawed and everyone is moving away from it. E.g. in Mozilla you will now see both SHA-1 and SHA-256 fingerprints when you view a certificate, and they will eventually stop showing SHA-1. The nova API should be thinking forward and
1. allow the admin to configure one or more algorithms to use for x.509 fingerprints (as noted, browsers will generally display at least 2).
2. be clear in what hash algorithms are used, both in documentation and (for client's sake) in the response.

Found in Liberty.

** Affects: nova
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1504598

Title:
sha1 fingerprint for x509 keypair

Status in OpenStack Compute (nova):
New

Bug description:
Liberty is using sha1 to calculate the fingerprint returned by os-keypairs REST API calls when the key type is x509. Unlike ssh, there is no standard hash algorithm that should necessarily be used for X.509, which makes it necessary to clarify what hash was used. There is also concern in simply documenting that this is sha1 and moving on... SHA-1 is known to be flawed and everyone is moving away from it. E.g. in Mozilla you will now see both SHA-1 and SHA-256 fingerprints when you view a certificate, and they will eventually stop showing SHA-1. The nova API should be thinking forward and
1. allow the admin to configure one or more algorithms to use for x.509 fingerprints (as noted, browsers will generally display at least 2).
2. be clear in what hash algorithms are used, both in documentation and (for client's sake) in the response.

Found in Liberty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1504598/+subscriptions