From Fedora Project Wiki
m (Change announced)
(Add trackers)
 
(2 intermediate revisions by the same user not shown)
Line 25: Line 25:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1727959 #1727959]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/356 #356]


== Detailed Description ==
== Detailed Description ==
Line 83: Line 83:
The crypto-policies package was enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. This can be achieved by adding a simple configuration file and calling the update-crypto-policies command.
The crypto-policies package was enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. This can be achieved by adding a simple configuration file and calling the update-crypto-policies command.


[[Category:ChangeAnnounced]]
[[Category:ChangeAcceptedF31]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 16:20, 8 July 2019

Custom Crypto Policies

Summary

This new feature of crypto-policies allows system administrators and third party providers to modify and adjust the existing system-wide crypto policies to enable or disable algorithms and protocols.

Owner

Current status

Detailed Description

The crypto-policies package will be enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it will be possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. System administrator will be able to add a simple configuration file that will achieve this after calling the update-crypto-policies command.

Benefit to Fedora

This will enable advanced users of Fedora to adjust the crypto-policies of the system to their particular needs and requirements.

It will also enable using Fedora where the national crypto algorithms are required without need to manually tinker with configurations of various software components to enable the national crypto algorithms.

Scope

  • Proposal owners:

The design of the feature and prototype is already finished upstream. We still need to convert the existing back-end policy generators to the new framework and convert the existing policy definitions to the new format. Then the crypto-policies package will be rebased to the version with the custom crypto policies support included.

  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

No impact. The crypto policies will continue to work as expected and worked before if a custom policy is not set.

How To Test

This will be tested as part of the upstream crypto-policies testsuite.

User Experience

Unless the user will choose to create and/or apply a custom crypto policy on the system, there will be no noticeable user experience change.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? No

Documentation

N/A (not a System Wide Change)

Release Notes

The crypto-policies package was enhanced to allow system administrators to modify the existing system-wide crypto policy levels by removing or adding enabled algorithms and protocols. For example it is now possible to easily modify the existing DEFAULT policy to disable the SHA1 support or enable support for a national crypto algorithm that is supported by the crypto libraries but is disabled in the policies. This can be achieved by adding a simple configuration file and calling the update-crypto-policies command.