[Freeipa-users] Elliptic curves with the CA
Rich Megginson
rmeggins at redhat.com
Wed Sep 18 17:58:39 UTC 2013
On 09/18/2013 11:53 AM, mees virk wrote:
> I do not have a valid support contract, or other contracts with
> RedHat. Doesn't that stop me from opening proper RFE ticket?
Not at all - https://fedorahosted.org/freeipa/newticket - depending on
what you mean by "proper".
>
> In any case, my interest was this time solely for evaluation purposes.
> If I were actively choosing an integrated identity management product,
> I might not choose Freeipa because it takes the longevity of the
> product and the development stance (lack of roadmap?) into question.
>
> RSA is slowly getting into slippery slope, because it really isn't
> about what it's worth today. When you protect something with a
> cryptographic algorithm you have to take account for how long certain
> types of data will be stored, and factor that time frame in.
> Increasing the key sizes will not be solution, because several
> embedded devices such as VPN products, smartcards and RFID devices
> will start failing pretty fast after 1024-2048 bit keys.
>
> ECC was designed to solve some of these issues; it's important
> development not mostly because of security today but because it will
> scale better up (it was designed to be implementable better on
> hardware), and the key sizes start from nicer point of security vs
> size. So it's the feature that would future proof the CA. At this
> moment there is available ECC support on some products on all the
> areas such as smart cards, so the products not having that option out
> of the box will start basically losing in the competition.
>
> I'm not trying to make a technical point here (if I made some minor
> error there, sorry) but a managerial, and from product management
> viewpoint. ECC must be on the feature set, or the CA features will be
> discarded in the future by potential users. That means the Freeipa as
> a whole might not be selected for some projects. Plus, it doesn't
> really hurt having ECC in. :)
>
> ------------------------------------------------------------------------
>
>
> IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not
> looked at this area yet.
> I suspect it would require changes in Dogtag first.
>
> Would be best if you can file and RFE ticket, then we would be able to
> follow up.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130918/7000ca2c/attachment.htm>
More information about the Freeipa-users
mailing list