Differences between revisions 1 and 2
Revision 1 as of 2015-08-18 07:14:04
Size: 2022
Editor: ?BernhardRLink
Comment:
Revision 2 as of 2015-08-18 07:15:56
Size: 2017
Editor: ?BernhardRLink
Comment:
Deletions are marked like this. Additions are marked like this.
Line 40: Line 40:

##
CategorySystemSecurity
CategorySystemSecurity

Translation(s): none


This Page collects information about what Debian can do or what might be feasible to allow the administrator of a system more control over cryptographic parameters like used cyphers, protocols, ....

Inspiration

This is inspired by Fedora's CryptoPolicy: https://fedoraproject.org/wiki/Changes/CryptoPolicy

Fedora's CryptoPolicy is roughly about:

  • extend crypto libraries to allow software to refer to a system-wide policy (@SYSTEM in Gnutls (already upstream), PROFILE=SYSTEM in OpenSSL (patches available)).
  • change all program's defaults and hardcoded values to use those system-wide defaults
  • some framework including a update-crypto-policies program to control the system-wide policy
  • some set of profiles (LEGACY,DEFAULT,FUTURE) to set the system to (including historic profiles available as DEFAULT-F<oldnum>)

Possible actions for Debian

supporting using profiles in crypto libraries

Debian could look at the patches used by Fedora and include them, too. (Even if doing nothing, Fedora will hopefully manage to get them upsream so in the end we might get them anyway).

offering a update-crypo-policies framework

Either packaging was Fedora has (possibly adopting it to our needs) or writing something equivalent of ourself.

Research needed.

Crypto settings in applications

Once the framework is available, it is about changing programs to use them.

Possible early steps:

  • identify affacted software
  • possibly also extending software to no longer hardcode anything
    • (Having a policy affecting everything has the disadvantage of you not being able to chose a system wide policy stronger than the weakest needed settings of a software that cannot be configured to use something by the admin via configuration)

CategorySystemSecurity