Red Hat is planning a significant change to how its Fedora Linux distribution handles crypto policy, to ship with the due-in-late-2014 Fedora 21 release.
In this wiki post, the Fedora Project outlines what it calls “system-wide crypto policy”. The idea is that Fedora would provide consistent security for all applications running under it, with the admin able to select pre-defined (but editable) security profiles.
“The idea is to have some predefined security levels such as LEVEL-80, LEVEL-112, LEVEL-128, LEVEL-256, or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256,” the team writes. Administrators would edit the security profiles in a single config file, and either run an update to propagate the policy throughout a system (or alternatively, have a daemon that propagates policy updates automatically).
Profiles would cover things like TLS/SSL and DTLS versioning, ciphersuite selection and ordering, certificate and key exchange parameters including minimum key length, acceptable elliptic curve (ECDH or ECDSA for example), signature hash functions, and TLS options like safe renegotiation.
The policy would require change to GnuTLS, OpenSSL and NSS libraries, the writers note.
Phoronix outlines other significant revisions under Fedora 21, which include changes to cron handling, access control for PC/SC cards, support for Ruby 2.1, and OpenCL support, and restricting the number of scenarios in which X.Org will run as root. ®