On Fri, May 20, 2011 at 08:23, Nigel Kersten <ni...@puppetlabs.com> wrote: > On Fri, May 20, 2011 at 5:39 AM, Mark Stanislav <mark.stanis...@gmail.com> > wrote: >> >> In short, I'm in agreement with you. With the CA which is defaulted to 5 >> years (not at all surprising) there's no doubt that soon (maybe 2.7 is a >> good time?) that 2048 key size should be used for at least the CA key, if >> not default for client key generation as well. Secondly, yes, I don't know >> why MD5 would be the hashing algorithm of choice in this case either. >> >> As I recall last year, most major root CAs went to 2048 last year to not >> anger the NIST recommendation. > > We will do this for 2.7.x unless we get major pushback from the community.
To replicate what I said in RedMine: I am strongly of the view that we should follow the most restrictive of the current sets of government advice (eg: BSI, NSA/NIST, etc) and advice from the experts in the field. If this requires addressing the question of how to achieve compatibility then we had better solve this, before someone genuinely breaks MD5, or RSA, or whatever in a way that matters to us, and we end up in more serious trouble: having to solve this in zero time, rather than with the relatively luxury of time. Larger keys, better hashing (probably by adding them as well as md5, rather than just replacing it, etc.) (Oh, and we absolutely have the capabilities to inspect the client version and make intelligent decisions about what we ship in terms of checksums, etc, as part of our compatibility story. As long as the master leads the agent in version we should be fine.) Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <dan...@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
