Source: puppet Version: 2.6.2-4 Severity: important puppet have the following defaults for the CA: - Key length: 1024 bits - Hash: MD5.
MD5 is broken in the meantime and 1024 bits keylength is not longer considered safe. The german BSI[1] produces a yearly document[2] that defines which algorithms should be save for usage over the next five years. This document rules out MD5, SHA-1 and RIPEMD-160 for hashing and key sizes < 1976 bits for RSA keys right now. Please update the default settings to something save for the time of the default TTL (five years). Bastian [1]: Bundesamt für Sicherheit in der Informationstechnik[3] [2]: http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFile/10008/2011AlgoKatpdf.pdf [3]: https://www.bsi.bund.de/DE/Home/home_node.html -- Our missions are peaceful -- not for conquest. When we do battle, it is only because we have no choice. -- Kirk, "The Squire of Gothos", stardate 2124.5 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
