m (Change announced) |
m (Submitted to FESCo https://pagure.io/fesco/issue/2158) |
||
Line 83: | Line 83: | ||
The crypto-policies package was enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. This can be achieved by adding a simple configuration file and calling the update-crypto-policies command. | The crypto-policies package was enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. This can be achieved by adding a simple configuration file and calling the update-crypto-policies command. | ||
[[Category: | [[Category:ChangeReadyForFesco]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Revision as of 17:30, 26 June 2019
Custom Crypto Policies
Summary
This new feature of crypto-policies allows system administrators and third party providers to modify and adjust the existing system-wide crypto policies to enable or disable algorithms and protocols.
Owner
- Name: Tomáš Mráz
- Email: tmraz@redhat.com
Current status
- Targeted release: Fedora 31
- Last updated: 2019-06-26
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
The crypto-policies package will be enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it will be possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. System administrator will be able to add a simple configuration file that will achieve this after calling the update-crypto-policies command.
Benefit to Fedora
This will enable advanced users of Fedora to adjust the crypto-policies of the system to their particular needs and requirements.
It will also enable using Fedora where the national crypto algorithms are required without need to manually tinker with configurations of various software components to enable the national crypto algorithms.
Scope
- Proposal owners:
The design of the feature and prototype is already finished upstream. We still need to convert the existing back-end policy generators to the new framework and convert the existing policy definitions to the new format. Then the crypto-policies package will be rebased to the version with the custom crypto policies support included.
- Other developers: N/A (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
No impact. The crypto policies will continue to work as expected and worked before if a custom policy is not set.
How To Test
This will be tested as part of the upstream crypto-policies testsuite.
User Experience
Unless the user will choose to create and/or apply a custom crypto policy on the system, there will be no noticeable user experience change.
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? No
Documentation
N/A (not a System Wide Change)
Release Notes
The crypto-policies package was enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. This can be achieved by adding a simple configuration file and calling the update-crypto-policies command.