[Freeipa-users] Elliptic curves with the CA

John Dennis jdennis at redhat.com
Wed Sep 18 18:12:29 UTC 2013 

On 09/18/2013 01:53 PM, mees virk wrote:
> I do not have a valid support contract, or other contracts with RedHat.
> Doesn't that stop me from opening proper RFE ticket?
> 
> In any case, my interest was this time solely for evaluation purposes.
> If I were actively choosing an integrated identity management product, I
> might not choose Freeipa because it takes the longevity of the product
> and the development stance (lack of roadmap?) into question.
> 
> RSA is slowly getting into slippery slope, because it really isn't about
> what it's worth today. When you protect something with a cryptographic
> algorithm you have to take account for how long certain types of data
> will be stored, and factor that time frame in. Increasing the key sizes
> will not be solution, because several embedded devices such as VPN
> products, smartcards and RFID devices will start failing pretty fast
> after 1024-2048 bit keys.
> 
> ECC was designed to solve some of these issues; it's important
> development not mostly because of security today but because it will
> scale better up (it was designed to be implementable better on
> hardware), and the key sizes start from nicer point of security vs size.
> So it's the feature that would future proof the CA. At this moment there
> is available ECC support on some products on all the areas such as smart
> cards, so the products not having that option out of the box will start
> basically losing in the competition.
> 
> I'm not trying to make a technical point here (if I made some minor
> error there, sorry) but a managerial, and from product management
> viewpoint. ECC must be on the feature set, or the CA features will be
> discarded in the future by potential users. That means the Freeipa as a
> whole might not be selected for some projects. Plus, it doesn't really
> hurt having ECC in. :)

Yes we understand these issues. IPA is designed for longevity. EC is
still very new, there are many components on which IPA depends which
have to gain EC support before IPA can offer it, that is work which is
actively in progress. There are still some intellectual property
questions which are under consideration with respect to EC. And there
has to be demand to support EC in IPA otherwise other RFE's and bug's
will take precedence.

The short story is EC is emerging, we comprehend it's value and it will
almost certainly appear at some point in IPA in some form.

Please do file an RFE.


-- 
John

More information about the Freeipa-users mailing list