On Tue, May 24, 2011 at 11:02, Mark Stanislav <mark.stanis...@gmail.com> wrote: > On May 24, 2011, at 1:50 PM, Daniel Pittman wrote: >> On Tue, May 24, 2011 at 06:36, Mark Stanislav <mark.stanis...@gmail.com> >> wrote: >>> On May 24, 2011, at 1:38 AM, Daniel Pittman wrote: >>>> On Fri, May 20, 2011 at 08:23, Nigel Kersten <ni...@puppetlabs.com> wrote: >>>>> On Fri, May 20, 2011 at 5:39 AM, Mark Stanislav <mark.stanis...@gmail.com> >>>>> wrote: >> […] >>>> Larger keys, better hashing (probably by adding them as well as md5, >>>> rather than just replacing it, etc.) >>> >>> I really don't know of any reason to implement MD5 at all. It *is* broken >>> and we do have better algorithms to implement. Even if SHA-1 is on its last >>> leg, it's still a step-up. SHA-256 is preferred, though. >> >> Ah. We have a policy of supporting at least two major versions back, >> and would generally prefer not to have to go and patch all the 2.6 and >> 2.7 releases out there when 2.8 moves to a more secure hash. (...or >> 0.25 and 2.6 when 2.7 adds it. ;) > > I don't think there should be a compat issue with regard to certificates as > that would be relevant to SSL libraries which should have fully supported > those algorithms for years. I could also be entirely wrong so feel free to > let me know as I'm speaking from a basic crypto perspective and not with > respect to Puppet directly.
Ah. I was thinking in the broader scope of getting us away from insecure hashes elsewhere in the product. From a strictly certificate POV, indeed, it should be just fine. Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <dan...@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
