Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA validation of <2048 keys
Bill Woodcock <woody@pch.net> Mon, 25 April 2022 13:32 UTC
Return-Path: <woody@pch.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E42223A1968 for <dnsop@ietfa.amsl.com>; Mon, 25 Apr 2022 06:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.043
X-Spam-Level:
X-Spam-Status: No, score=-6.043 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=pch.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PC8wpzAmYsny for <dnsop@ietfa.amsl.com>; Mon, 25 Apr 2022 06:32:35 -0700 (PDT)
Received: from secmail.pch.net (secmail.pch.net [206.220.231.87]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B38493A1967 for <dnsop@ietf.org>; Mon, 25 Apr 2022 06:32:35 -0700 (PDT)
Received: from secmail.pch.net (localhost [127.0.0.1]) by secmail.pch.net (Postfix) with ESMTP id 4Kn5Xz0Y7Xz51hjZ for <dnsop@ietf.org>; Mon, 25 Apr 2022 06:32:35 -0700 (PDT)
Authentication-Results: secmail.pch.net (amavisd-new); dkim=pass reason="pass (just generated, assumed good)" header.d=pch.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pch.net; h= x-mailer:message-id:in-reply-to:to:references:date:subject :mime-version:content-type:from; s=dkim; t=1650893554; x= 1653485555; bh=eLhqpE5fS7mbrNPb6Qrrxh+tElzx1Bv8WgwvBmtJ2T0=; b=E aUVtXbz/by/mbNfAHVxGFaGlHIreC5y+WFWCE9vD2acY0mpGniXk2KU1saMDVO5s 6mOPDgywd1YLruafjLcK0aWf4ZFugcpbVuYOlk6lBPbcBPYDuNBgDSiYCZQmm51m 7H2BjCaug/gT4sxJxn4nvy+BNz7R0D5YUpxx9ZsysZpU/WSAZHcFl4aPql5cgKog aeNlZBGBi4Ue3grML/HJnyewrHe/oVK8SlSB8r6SxI04/p6YWu7SfMjRPUp7dBZv 4ZmKwZKM1Exont4MHW2IRRAwbMXb8U+ChpV/APKAHFb03fdpiJgOvs/F4VZ052pW DeJm6POvT3USX3e2Yj8zw==
X-Virus-Scanned: amavisd-new at secmail.pch.net
Received: from secmail.pch.net ([127.0.0.1]) by secmail.pch.net (secmail.pch.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id BV8Fq8bGJflu for <dnsop@ietf.org>; Mon, 25 Apr 2022 06:32:34 -0700 (PDT)
Received: from smtpclient.apple (unknown [69.166.14.6]) by secmail.pch.net (Postfix) with ESMTPSA id 4Kn5Xx5pB0z51hjP for <dnsop@ietf.org>; Mon, 25 Apr 2022 06:32:33 -0700 (PDT)
From: Bill Woodcock <woody@pch.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_4FEF5DA6-0193-459D-BE33-2256D6142A38"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
Date: Mon, 25 Apr 2022 15:32:30 +0200
References: <356059e5-e973-3d6c-569c-9ff9d9fe16e6@redhat.com> <06915BF1-86CA-4554-B3F5-82CCFFBF78E5@pch.net> <20220425.133131.1578289127277189889.he@uninett.no>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <20220425.133131.1578289127277189889.he@uninett.no>
Message-Id: <2A640067-C342-4BCA-92A9-88914CE3A4C6@pch.net>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FJfxMZ5Qv15g3B94kWpZ65Tf3yo>
Subject: Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA validation of <2048 keys
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 13:32:41 -0000
> On Apr 25, 2022, at 1:31 PM, Havard Eidnes <he@uninett.no> wrote: > >>> On Apr 25, 2022, at 11:20 AM, Petr Menšík <pemensik@redhat.com> wrote: >>> I think the only good way would be starting considering shorter keys as insecure in FIPS mode. >> >> Agreed. We've been using 2408-bit ZSKs for more than ten years now. It's definitely time to sunset acceptance of shorter keys at this point. > > Well, as Bjørn Mork said, it's one thing to insist on generating own RSA keypairs with >= 2048 bits or convert to using ECDSA, it's quite another to insist that all the rest of the world do this conversion RIGHT NOW. I'm guessing that changing at least some of these will take a while, not perhaps first and foremost for technical reasons. I don’t disagree at all. But we’re never going to get there if we don’t start. And there will always be people who don’t get anything done if they’re not pushed. So I don’t know where that leaves us, other than “we need to start pushing." -Bill
- [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA validat… Petr Menšík
- Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA val… Bjørn Mork
- Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA val… Bill Woodcock
- Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA val… Havard Eidnes
- Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA val… Bill Woodcock
- Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA val… Paul Wouters
- Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA val… Petr Menšík
- Re: [DNSOP] FIPS 140-3 mode on RHEL 9 and RSA val… Petr Menšík