Hi Micah, In short, I'm in agreement with you. With the CA which is defaulted to 5 years (not at all surprising) there's no doubt that soon (maybe 2.7 is a good time?) that 2048 key size should be used for at least the CA key, if not default for client key generation as well. Secondly, yes, I don't know why MD5 would be the hashing algorithm of choice in this case either.
As I recall last year, most major root CAs went to 2048 last year to not anger the NIST recommendation. -Mark On May 19, 2011, at 11:07 PM, Micah Anderson wrote: > > Hi all, > > I would like to start a discussion about changing the default key length > From 1024 bits to 2048, and am interested to know if this might cause > any issues for people. > > puppet.conf(5) says that the keylength parameter defaults to 1024 bits > for new RSA keys. > > There are many reasons why 1024bits is just not good enough now days: > > . many free software crypto tools are defaulting to 2048-bit keys now > (e.g. OpenSSH, GnuPG) > > . NIST has recommended avoiding reliance on 1024-bit keys after the end > of 2010 > > you can compare other comparable standards at http://keylength.com/ > > Considering that generated certificates are expected to be around for at > least the lifetime of the server itself, setting a reasonable bit-length > key from the beginning is pretty important, especially if the server > might be expected to be around for some years from now… > > Not only is the default keylength for the CA 1024 bits, the default hash > is MD5. > > The german BSI1 produces a yearly document[0] that defines which > algorithms should be save for usage over the next five years. This > document rules out MD5, SHA-1 and RIPEMD-160 for hashing and key sizes < > 1976 bits for RSA keys right now. > > Now that we are well beyond the NIST recommendation, this seems to be a > bug, and I filed it as such[1]. However, I'm throwing this out there to > see if this might be an issue for anyone, such as on older > distributions. > > discuss! > micah > > > 0. > http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFile/10008/2011AlgoKatpdf.pdf > 0. https://projects.puppetlabs.com/issues/6663 > > > -- > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
