[Freeipa-users] Elliptic curves with the CA

Mon Sep 23 07:07:54 UTC 2013

Hello,

by the way, this article contains very interesting thoughts about world-wide 
ECC deployment in context of DNSSEC:
https://www.myicann.org/news/articles/31935/related/29167

Most of the article is focused on DNSSEC, but I would recommend you to read 
the second part beginning with sentence 'It has been suggested that algorithm 
rollover towards elliptic curve cryptography (ECC)'.

Petr^2 Spacek

On 20.9.2013 18:09, Ade Lee wrote:
> As a partial answer to this, work has been ongoing to fully support ECC
> in Dogtag.  Attached is a most likely out-of-date wiki page detailing
> ECC support in Dogtag.
>
> https://pki.fedoraproject.org/wiki/ECC_in_Dogtag
>
> If I recall correctly, we are somewhere around phase 3.
>
> Ade
>
> On Fri, 2013-09-20 at 11:48 -0400, Dmitri Pal wrote:
>> On 09/18/2013 01:53 PM, mees virk wrote:
>>> I do not have a valid support contract, or other contracts with
>>> RedHat. Doesn't that stop me from opening proper RFE ticket?
>>>
>>> In any case, my interest was this time solely for evaluation
>>> purposes. If I were actively choosing an integrated identity
>>> management product, I might not choose Freeipa because it takes the
>>> longevity of the product and the development stance (lack of
>>> roadmap?) into question.
>>>
>>
>> I wonder where the lack of roadmap came from?
>> http://www.freeipa.org/page/Roadmap
>> So the trac system we use gives a good view of the dynamics of the
>> project
>> https://fedorahosted.org/freeipa/roadmap
>>
>> However IMO disconnect in expectations is that support of the ECC is
>> not exactly FreeIPA's problem (yet).
>> It needs to be implemented by the lower levels of the stack first:
>> NSS, Dogtag etc.
>> We have plans for support of the certs for users and we understand
>> that RSA becomes outdated.
>> Your RFE would allow us to track your specific requirements and
>> interest (and make it our problem).
>>
>> Right now the position is that: let the underlying components grow ECC
>> suppoirt and consume this functionality in FreeIPA when it matures.
>> Filing an RFE would change this dynamics and would signal us that
>> there is interest in the community in the actual end point solution,
>> i.e. FreeIPA supporting ECC.
>>
>> Thanks!
>>
>>>
>>> RSA is slowly getting into slippery slope, because it really isn't
>>> about what it's worth today. When you protect something with a
>>> cryptographic algorithm you have to take account for how long
>>> certain types of data will be stored, and factor that time frame in.
>>> Increasing the key sizes will not be solution, because several
>>> embedded devices such as VPN products, smartcards and RFID devices
>>> will start failing pretty fast after 1024-2048 bit keys.
>>>
>>> ECC was designed to solve some of these issues; it's important
>>> development not mostly because of security today but because it will
>>> scale better up (it was designed to be implementable better on
>>> hardware), and the key sizes start from nicer point of security vs
>>> size. So it's the feature that would future proof the CA. At this
>>> moment there is available ECC support on some products on all the
>>> areas such as smart cards, so the products not having that option
>>> out of the box will start basically losing in the competition.
>>>
>>> I'm not trying to make a technical point here (if I made some minor
>>> error there, sorry) but a managerial, and from product management
>>> viewpoint. ECC must be on the feature set, or the CA features will
>>> be discarded in the future by potential users. That means the
>>> Freeipa as a whole might not be selected for some projects. Plus, it
>>> doesn't really hurt having ECC in. :)
>>>
>>>
>>> ____________________________________________________________________
>>>
>>>
>>>
>>> IPA uses NSS, NSS support of ECC algorithms is very fresh, we have
>>> not looked at this area yet.
>>> I suspect it would require changes in Dogtag first.
>>>
>>> Would be best if you can file and RFE ticket, then we would be able
>>> to follow up.