[Freeipa-users] Elliptic curves with the CA

[Dmitri Pal]

On 09/18/2013 01:53 PM, mees virk wrote:
> I do not have a valid support contract, or other contracts with
> RedHat. Doesn't that stop me from opening proper RFE ticket?
>
> In any case, my interest was this time solely for evaluation purposes.
> If I were actively choosing an integrated identity management product,
> I might not choose Freeipa because it takes the longevity of the
> product and the development stance (lack of roadmap?) into question.

I wonder where the lack of roadmap came from?
http://www.freeipa.org/page/Roadmap
So the trac system we use gives a good view of the dynamics of the project
https://fedorahosted.org/freeipa/roadmap

However IMO disconnect in expectations is that support of the ECC is not
exactly FreeIPA's problem (yet).
It needs to be implemented by the lower levels of the stack first: NSS,
Dogtag etc.
We have plans for support of the certs for users and we understand that
RSA becomes outdated.
Your RFE would allow us to track your specific requirements and interest
(and make it our problem).

Right now the position is that: let the underlying components grow ECC
suppoirt and consume this functionality in FreeIPA when it matures.
Filing an RFE would change this dynamics and would signal us that there
is interest in the community in the actual end point solution, i.e.
FreeIPA supporting ECC.

Thanks!

>
> RSA is slowly getting into slippery slope, because it really isn't
> about what it's worth today. When you protect something with a
> cryptographic algorithm you have to take account for how long certain
> types of data will be stored, and factor that time frame in.
> Increasing the key sizes will not be solution, because several
> embedded devices such as VPN products, smartcards and RFID devices
> will start failing pretty fast after 1024-2048 bit keys.
>
> ECC was designed to solve some of these issues; it's important
> development not mostly because of security today but because it will
> scale better up (it was designed to be implementable better on
> hardware), and the key sizes start from nicer point of security vs
> size. So it's the feature that would future proof the CA. At this
> moment there is available ECC support on some products on all the
> areas such as smart cards, so the products not having that option out
> of the box will start basically losing in the competition.
>
> I'm not trying to make a technical point here (if I made some minor
> error there, sorry) but a managerial, and from product management
> viewpoint. ECC must be on the feature set, or the CA features will be
> discarded in the future by potential users. That means the Freeipa as
> a whole might not be selected for some projects. Plus, it doesn't
> really hurt having ECC in. :)
>
> ------------------------------------------------------------------------
>
>      
>
> IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not
> looked at this area yet.
> I suspect it would require changes in Dogtag first.
>
> Would be best if you can file and RFE ticket, then we would be able to
> follow up.
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130920/fda2d62b/attachment.htm>