Hi all, I would like to start a discussion about changing the default key length From 1024 bits to 2048, and am interested to know if this might cause any issues for people.
puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. There are many reasons why 1024bits is just not good enough now days: . many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) . NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now… Not only is the default keylength for the CA 1024 bits, the default hash is MD5. The german BSI1 produces a yearly document[0] that defines which algorithms should be save for usage over the next five years. This document rules out MD5, SHA-1 and RIPEMD-160 for hashing and key sizes < 1976 bits for RSA keys right now. Now that we are well beyond the NIST recommendation, this seems to be a bug, and I filed it as such[1]. However, I'm throwing this out there to see if this might be an issue for anyone, such as on older distributions. discuss! micah 0. http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFile/10008/2011AlgoKatpdf.pdf 0. https://projects.puppetlabs.com/issues/6663 --
pgpV2oh3V87Ks.pgp
Description: PGP signature
