<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 09/18/2013 11:53 AM, mees virk
wrote:<br>
</div>
<blockquote cite="mid:DUB126-W4591B623996CB3C7046EDC4200@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">I do not have a valid support contract, or other
contracts with RedHat. Doesn't that stop me from opening proper
RFE ticket?<br>
</div>
</blockquote>
<br>
Not at all - <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/newticket">https://fedorahosted.org/freeipa/newticket</a> - depending
on what you mean by "proper".<br>
<br>
<blockquote cite="mid:DUB126-W4591B623996CB3C7046EDC4200@phx.gbl"
type="cite">
<div dir="ltr"><br>
In any case, my interest was this time solely for evaluation
purposes. If I were actively choosing an integrated identity
management product, I might not choose Freeipa because it takes
the longevity of the product and the development stance (lack of
roadmap?) into question.<br>
<br>
RSA is slowly getting into slippery slope, because it really
isn't about what it's worth today. When you protect something
with a cryptographic algorithm you have to take account for how
long certain types of data will be stored, and factor that time
frame in. Increasing the key sizes will not be solution, because
several embedded devices such as VPN products, smartcards and
RFID devices will start failing pretty fast after 1024-2048 bit
keys. <br>
<br>
ECC was designed to solve some of these issues; it's important
development not mostly because of security today but because it
will scale better up (it was designed to be implementable better
on hardware), and the key sizes start from nicer point of
security vs size. So it's the feature that would future proof
the CA. At this moment there is available ECC support on some
products on all the areas such as smart cards, so the products
not having that option out of the box will start basically
losing in the competition.<br>
<br>
I'm not trying to make a technical point here (if I made some
minor error there, sorry) but a managerial, and from product
management viewpoint. ECC must be on the feature set, or the CA
features will be discarded in the future by potential users.
That means the Freeipa as a whole might not be selected for some
projects. Plus, it doesn't really hurt having ECC in. :)<br>
<br>
<div>
<hr id="stopSpelling"><br>
<blockquote
cite="mid:BLU175-W8A99B5A6A8731F6FC5E1FC4260@phx.gbl">
<div dir="ltr"> <br>
</div>
</blockquote>
IPA uses NSS, NSS support of ECC algorithms is very fresh, we
have not looked at this area yet.<br>
I suspect it would require changes in Dogtag first.<br>
<br>
Would be best if you can file and RFE ticket, then we would be
able to follow up.<br>
<br>
<blockquote
cite="mid:BLU175-W8A99B5A6A8731F6FC5E1FC4260@phx.gbl">
<div dir="ltr"> </div>
<br>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>