[Freeipa-users] Elliptic curves with the CA

Rich Megginson rmeggins at redhat.com
Wed Sep 18 17:58:39 UTC 2013 

On 09/18/2013 11:53 AM, mees virk wrote:
> I do not have a valid support contract, or other contracts with 
> RedHat. Doesn't that stop me from opening proper RFE ticket?

Not at all - https://fedorahosted.org/freeipa/newticket - depending on 
what you mean by "proper".

>
> In any case, my interest was this time solely for evaluation purposes. 
> If I were actively choosing an integrated identity management product, 
> I might not choose Freeipa because it takes the longevity of the 
> product and the development stance (lack of roadmap?) into question.
>
> RSA is slowly getting into slippery slope, because it really isn't 
> about what it's worth today. When you protect something with a 
> cryptographic algorithm you have to take account for how long certain 
> types of data will be stored, and factor that time frame in. 
> Increasing the key sizes will not be solution, because several 
> embedded devices such as VPN products, smartcards and RFID devices 
> will start failing pretty fast after 1024-2048 bit keys.
>
> ECC was designed to solve some of these issues; it's important 
> development not mostly because of security today but because it will 
> scale better up (it was designed to be implementable better on 
> hardware), and the key sizes start from nicer point of security vs 
> size. So it's the feature that would future proof the CA. At this 
> moment there is available ECC support on some products on all the 
> areas such as smart cards, so the products not having that option out 
> of the box will start basically losing in the competition.
>
> I'm not trying to make a technical point here (if I made some minor 
> error there, sorry) but a managerial, and from product management 
> viewpoint. ECC must be on the feature set, or the CA features will be 
> discarded in the future by potential users. That means the Freeipa as 
> a whole might not be selected for some projects. Plus, it doesn't 
> really hurt having ECC in. :)
>
> ------------------------------------------------------------------------
>
>
> IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not 
> looked at this area yet.
> I suspect it would require changes in Dogtag first.
>
> Would be best if you can file and RFE ticket, then we would be able to 
> follow up.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130918/7000ca2c/attachment.htm>

More information about the Freeipa-users mailing list