[Freeipa-devel] MD5 certificate fingerprints removal
Standa Laznicka
slaznick at redhat.com
Tue Feb 21 16:23:07 UTC 2017
On 02/21/2017 04:24 PM, Tomas Krizek wrote:
> On 02/21/2017 03:23 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> Hello,
>>>
>>> Since we're trying to make FreeIPA work in FIPS we got to the point
>>> where we need to do something with MD5 fingerprints in the cert plugin.
>>> Eventually we came to a realization that it'd be best to get rid of them
>>> as a whole. These are counted by the framework and are not stored
>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints
>>> are also counted and those are there to stay.
>>>
>>> The question for this ML is, then - is it OK to remove these or would
>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
>>> grandpa and I think it should go.
>> I based the values displayed on what certutil displayed at the time (7
>> years ago). I don't know that anyone uses these fingerprints. The
>> OpenSSL equivalent doesn't include them by default.
>>
>> You may be able to deprecate fingerprints altogether.
>>
>> rob
> I think it's useful to display the certificate's fingerprint. I'm in
> favor of removing md5 and adding sha256 instead.
>
Rob, thank you for sharing the information of where the cert
fingerprints are originated! `certutil` shipped with nss-3.27.0-1.3
currently displays SHA-256 and SHA1 fingerprints for certificates so I
propose going that way too.
More information about the Freeipa-devel
mailing list