[Freeipa-users] Elliptic curves with the CA

Fri Sep 20 16:09:08 UTC 2013

As a partial answer to this, work has been ongoing to fully support ECC
in Dogtag.  Attached is a most likely out-of-date wiki page detailing
ECC support in Dogtag.

https://pki.fedoraproject.org/wiki/ECC_in_Dogtag

If I recall correctly, we are somewhere around phase 3.  

Ade

On Fri, 2013-09-20 at 11:48 -0400, Dmitri Pal wrote:
> On 09/18/2013 01:53 PM, mees virk wrote: 
> > I do not have a valid support contract, or other contracts with
> > RedHat. Doesn't that stop me from opening proper RFE ticket?
> > 
> > In any case, my interest was this time solely for evaluation
> > purposes. If I were actively choosing an integrated identity
> > management product, I might not choose Freeipa because it takes the
> > longevity of the product and the development stance (lack of
> > roadmap?) into question.
> > 
> 
> I wonder where the lack of roadmap came from?
> http://www.freeipa.org/page/Roadmap
> So the trac system we use gives a good view of the dynamics of the
> project
> https://fedorahosted.org/freeipa/roadmap
> 
> However IMO disconnect in expectations is that support of the ECC is
> not exactly FreeIPA's problem (yet).
> It needs to be implemented by the lower levels of the stack first:
> NSS, Dogtag etc.
> We have plans for support of the certs for users and we understand
> that RSA becomes outdated.
> Your RFE would allow us to track your specific requirements and
> interest (and make it our problem).
> 
> Right now the position is that: let the underlying components grow ECC
> suppoirt and consume this functionality in FreeIPA when it matures.
> Filing an RFE would change this dynamics and would signal us that
> there is interest in the community in the actual end point solution,
> i.e. FreeIPA supporting ECC.
> 
> Thanks!
> 
> > 
> > RSA is slowly getting into slippery slope, because it really isn't
> > about what it's worth today. When you protect something with a
> > cryptographic algorithm you have to take account for how long
> > certain types of data will be stored, and factor that time frame in.
> > Increasing the key sizes will not be solution, because several
> > embedded devices such as VPN products, smartcards and RFID devices
> > will start failing pretty fast after 1024-2048 bit keys. 
> > 
> > ECC was designed to solve some of these issues; it's important
> > development not mostly because of security today but because it will
> > scale better up (it was designed to be implementable better on
> > hardware), and the key sizes start from nicer point of security vs
> > size. So it's the feature that would future proof the CA. At this
> > moment there is available ECC support on some products on all the
> > areas such as smart cards, so the products not having that option
> > out of the box will start basically losing in the competition.
> > 
> > I'm not trying to make a technical point here (if I made some minor
> > error there, sorry) but a managerial, and from product management
> > viewpoint. ECC must be on the feature set, or the CA features will
> > be discarded in the future by potential users. That means the
> > Freeipa as a whole might not be selected for some projects. Plus, it
> > doesn't really hurt having ECC in. :)
> > 
> > 
> > ____________________________________________________________________
> > 
> >          
> >         
> > IPA uses NSS, NSS support of ECC algorithms is very fresh, we have
> > not looked at this area yet.
> > I suspect it would require changes in Dogtag first.
> > 
> > Would be best if you can file and RFE ticket, then we would be able
> > to follow up.
> > 
> >         
> >         
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users