[Freeipa-devel] MD5 certificate fingerprints removal
Tomas Krizek
tkrizek at redhat.com
Tue Feb 21 15:24:08 UTC 2017
On 02/21/2017 03:23 PM, Rob Crittenden wrote:
> Standa Laznicka wrote:
>> Hello,
>>
>> Since we're trying to make FreeIPA work in FIPS we got to the point
>> where we need to do something with MD5 fingerprints in the cert plugin.
>> Eventually we came to a realization that it'd be best to get rid of them
>> as a whole. These are counted by the framework and are not stored
>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints
>> are also counted and those are there to stay.
>>
>> The question for this ML is, then - is it OK to remove these or would
>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
>> grandpa and I think it should go.
> I based the values displayed on what certutil displayed at the time (7
> years ago). I don't know that anyone uses these fingerprints. The
> OpenSSL equivalent doesn't include them by default.
>
> You may be able to deprecate fingerprints altogether.
>
> rob
I think it's useful to display the certificate's fingerprint. I'm in
favor of removing md5 and adding sha256 instead.
--
Tomas Krizek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170221/bca7166b/attachment.sig>
More information about the Freeipa-devel
mailing list