[Freeipa-devel] MD5 certificate fingerprints removal
Rob Crittenden
rcritten at redhat.com
Tue Feb 21 14:23:12 UTC 2017
Standa Laznicka wrote:
> Hello,
>
> Since we're trying to make FreeIPA work in FIPS we got to the point
> where we need to do something with MD5 fingerprints in the cert plugin.
> Eventually we came to a realization that it'd be best to get rid of them
> as a whole. These are counted by the framework and are not stored
> anywhere. Note that alongside with these fingerprints SHA1 fingerprints
> are also counted and those are there to stay.
>
> The question for this ML is, then - is it OK to remove these or would
> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
> grandpa and I think it should go.
I based the values displayed on what certutil displayed at the time (7
years ago). I don't know that anyone uses these fingerprints. The
OpenSSL equivalent doesn't include them by default.
You may be able to deprecate fingerprints altogether.
rob
More information about the Freeipa-devel
mailing list