Hi all,

I would like to start a discussion about changing the default key length
From 1024 bits to 2048, and am interested to know if this might cause
any issues for people. 

puppet.conf(5) says that the keylength parameter defaults to 1024 bits
for new RSA keys.

There are many reasons why 1024bits is just not good enough now days:

 . many free software crypto tools are defaulting to 2048-bit keys now
 (e.g. OpenSSH, GnuPG)

 . NIST has recommended avoiding reliance on 1024-bit keys after the end
 of 2010

you can compare other comparable standards at http://keylength.com/

Considering that generated certificates are expected to be around for at
least the lifetime of the server itself, setting a reasonable bit-length
key from the beginning is pretty important, especially if the server
might be expected to be around for some years from now…

Not only is the default keylength for the CA 1024 bits, the default hash
is MD5.

The german BSI1 produces a yearly document[0] that defines which
algorithms should be save for usage over the next five years. This
document rules out MD5, SHA-1 and RIPEMD-160 for hashing and key sizes <
1976 bits for RSA keys right now.

Now that we are well beyond the NIST recommendation, this seems to be a
bug, and I filed it as such[1]. However, I'm throwing this out there to
see if this might be an issue for anyone, such as on older
distributions.

discuss!
micah


0. 
http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFile/10008/2011AlgoKatpdf.pdf
0. https://projects.puppetlabs.com/issues/6663


-- 

Attachment: pgpV2oh3V87Ks.pgp
Description: PGP signature

Reply via email to