Erik,
Tossing this back on the list, I hope you don't mind.
My apologies, I was unclear. What I mean is that the user will *want* a longer lifetime, even though the longest *possible* lifetime will be too long for security reasons.
In other words, my suggestion would be to use the longest lifetime consistent with best practices, like those that you include below.
Tom
On 06/18/2018 8:00 AM, ummeegge wrote:
Hi Tom, in my opinion this is the wrong suggestion since we circumvent in fact the new security feature from OpenSSL. The longest lifetime would be then '999998' days which is adequate to ~2740 years whereby we and our systems possibly wont go through :D .
Additionally OpenVPNs hardening wiki --> https://community.openvpn.net/openvpn/wiki/Hardening#X.509keysize points a so called "future system near term use" (data are from Enisa) out whereby 3072 bit RSA key lenghts and more are recommended to stay safe in Enisa definitions for at least 10 years (research was from 2013) but IPFire uses currently 2048 bit RSA for the host certificate.
May not representative but Microsoft said in 2009 something like this:
Key length of 1024: Validity period = not greater than 6-12 monthsKey length of 2048: Validity period = not greater than 2 yearsKey length of 4096: Validity period = not greater than 16 years
<-- is from https://cloudblogs.microsoft.com/enterprisemobility/2009/06/12/recommendatio...
May there are more actual papers for that...
Best,
Erik
Am Montag, den 18.06.2018, 06:27 -0400 schrieb Tom Rymes:
I’d suggest that most users likely want the longest lifetime for their certs that they can get, so as to avoid the need to frequently replace expired certificates.
This is especially true because there is no way to recreate certs in the WUI when they expire, so you have to delete the entry and recreate it when that happens.
https://bugzilla.ipfire.org/show_bug.cgi?id=11742
My $0.02,
Tom
On Jun 18, 2018, at 3:56 AM, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, yes but the needs in there can differs a lot so the question arises what is a good default ? Another idea might be to add another (or a range of possible days) text for that field ? May the error message if an entry triggers one can also be extended.
Greetings,
Erik
Am Sonntag, den 17.06.2018, 19:14 +0100 schrieb Michael Tremer:
Hello,
can we also set a good default value for this?
This can be a little bit confusing for new users and it would be good
to have
some guidance. It can be a separate patch.
Best,
-Michael
On Fri, 2018-06-15 at 14:59 +0200, ummeegge wrote:
Have seen it too late to announce it in the commit message but this
patch solves also Bug #11715
Best,
Erik
How relevant is this one here?
https://bugzilla.ipfire.org/show_bug.cgi?id=10482
-Michael
On Mon, 2018-06-18 at 08:21 -0400, Tom Rymes wrote:
Erik,
Tossing this back on the list, I hope you don't mind.
My apologies, I was unclear. What I mean is that the user will *want* a longer lifetime, even though the longest *possible* lifetime will be too long for security reasons.
In other words, my suggestion would be to use the longest lifetime consistent with best practices, like those that you include below.
Tom
On 06/18/2018 8:00 AM, ummeegge wrote:
Hi Tom, in my opinion this is the wrong suggestion since we circumvent in fact the new security feature from OpenSSL. The longest lifetime would be then '999998' days which is adequate to ~2740 years whereby we and our systems possibly wont go through :D .
Additionally OpenVPNs hardening wiki --> https://community.openvpn.net/openv pn/wiki/Hardening#X.509keysize points a so called "future system near term use" (data are from Enisa) out whereby 3072 bit RSA key lenghts and more are recommended to stay safe in Enisa definitions for at least 10 years (research was from 2013) but IPFire uses currently 2048 bit RSA for the host certificate.
May not representative but Microsoft said in 2009 something like this:
Key length of 1024: Validity period = not greater than 6-12 monthsKey length of 2048: Validity period = not greater than 2 yearsKey length of 4096: Validity period = not greater than 16 years
<-- is from https://cloudblogs.microsoft.com/enterprisemobility/2009/06/12/r ecommendations-for-pki-key-lengths-and-validity-periods-with-configuration- manager/
May there are more actual papers for that...
Best,
Erik
Am Montag, den 18.06.2018, 06:27 -0400 schrieb Tom Rymes:
I’d suggest that most users likely want the longest lifetime for their certs that they can get, so as to avoid the need to frequently replace expired certificates.
This is especially true because there is no way to recreate certs in the WUI when they expire, so you have to delete the entry and recreate it when that happens.
https://bugzilla.ipfire.org/show_bug.cgi?id=11742
My $0.02,
Tom
On Jun 18, 2018, at 3:56 AM, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, yes but the needs in there can differs a lot so the question arises what is a good default ? Another idea might be to add another (or a range of possible days) text for that field ? May the error message if an entry triggers one can also be extended.
Greetings,
Erik
Am Sonntag, den 17.06.2018, 19:14 +0100 schrieb Michael Tremer:
Hello,
can we also set a good default value for this?
This can be a little bit confusing for new users and it would be good
to have
some guidance. It can be a separate patch.
Best,
-Michael
On Fri, 2018-06-15 at 14:59 +0200, ummeegge wrote:
Have seen it too late to announce it in the commit message but this patch solves also Bug #11715
Best,
Erik
I think that a reasonable default would be 2 years.
That is already the maximum I would feel comfortable with, but certificates *must* expire. They should not run for forever.
But I agree with Tom that there should be an easy way to extend the certificate and that we should have some UI elements that warn when a certificate is going to expire in the next ~30 days or so.
@Erik: Would you be up for implementing this?
Best, -Michael
On Mon, 2018-06-18 at 14:09 +0100, Michael Tremer wrote:
How relevant is this one here?
https://bugzilla.ipfire.org/show_bug.cgi?id=10482
-Michael
On Mon, 2018-06-18 at 08:21 -0400, Tom Rymes wrote:
Erik,
Tossing this back on the list, I hope you don't mind.
My apologies, I was unclear. What I mean is that the user will *want* a longer lifetime, even though the longest *possible* lifetime will be too long for security reasons.
In other words, my suggestion would be to use the longest lifetime consistent with best practices, like those that you include below.
Tom
On 06/18/2018 8:00 AM, ummeegge wrote:
Hi Tom, in my opinion this is the wrong suggestion since we circumvent in fact the new security feature from OpenSSL. The longest lifetime would be then '999998' days which is adequate to ~2740 years whereby we and our systems possibly wont go through :D .
Additionally OpenVPNs hardening wiki --> https://community.openvpn.net/ope nv pn/wiki/Hardening#X.509keysize points a so called "future system near term use" (data are from Enisa) out whereby 3072 bit RSA key lenghts and more are recommended to stay safe in Enisa definitions for at least 10 years (research was from 2013) but IPFire uses currently 2048 bit RSA for the host certificate.
May not representative but Microsoft said in 2009 something like this:
Key length of 1024: Validity period = not greater than 6-12 monthsKey length of 2048: Validity period = not greater than 2 yearsKey length of 4096: Validity period = not greater than 16 years
<-- is from https://cloudblogs.microsoft.com/enterprisemobility/2009/06/12 /r ecommendations-for-pki-key-lengths-and-validity-periods-with- configuration- manager/
May there are more actual papers for that...
Best,
Erik
Am Montag, den 18.06.2018, 06:27 -0400 schrieb Tom Rymes:
I’d suggest that most users likely want the longest lifetime for their certs that they can get, so as to avoid the need to frequently replace expired certificates.
This is especially true because there is no way to recreate certs in the WUI when they expire, so you have to delete the entry and recreate it when that happens.
https://bugzilla.ipfire.org/show_bug.cgi?id=11742
My $0.02,
Tom
On Jun 18, 2018, at 3:56 AM, ummeegge ummeegge@ipfire.org wrote:
Hi Michael, yes but the needs in there can differs a lot so the question arises what is a good default ? Another idea might be to add another (or a range of possible days) text for that field ? May the error message if an entry triggers one can also be extended.
Greetings,
Erik
Am Sonntag, den 17.06.2018, 19:14 +0100 schrieb Michael Tremer:
Hello,
can we also set a good default value for this?
This can be a little bit confusing for new users and it would be good
to have
some guidance. It can be a separate patch.
Best,
-Michael
On Fri, 2018-06-15 at 14:59 +0200, ummeegge wrote:
Have seen it too late to announce it in the commit message but this patch solves also Bug #11715
Best,
Erik
Hi Michael, yes i think 730 days are a good default. Patch is already made. Can you merge the already delivered one so i can pull the actual state and make then an own patch for this ?
Best,
Erik
Am Montag, den 18.06.2018, 14:51 +0100 schrieb Michael Tremer:
I think that a reasonable default would be 2 years.
That is already the maximum I would feel comfortable with, but certificates *must* expire. They should not run for forever.
But I agree with Tom that there should be an easy way to extend the certificate and that we should have some UI elements that warn when a certificate is going to expire in the next ~30 days or so.
@Erik: Would you be up for implementing this?
Best, -Michael
Yes, can do. Please see "next".
In the future, you can create an own OpenVPN branch where all those proposed patches are collected to be able to work a little bit independent from me and also to collect patches and submit them in one go.
Best, -Michael
On Mon, 2018-06-18 at 16:05 +0200, ummeegge wrote:
Hi Michael, yes i think 730 days are a good default. Patch is already made. Can you merge the already delivered one so i can pull the actual state and make then an own patch for this ?
Best,
Erik
Am Montag, den 18.06.2018, 14:51 +0100 schrieb Michael Tremer:
I think that a reasonable default would be 2 years.
That is already the maximum I would feel comfortable with, but certificates *must* expire. They should not run for forever.
But I agree with Tom that there should be an easy way to extend the certificate and that we should have some UI elements that warn when a certificate is going to expire in the next ~30 days or so.
@Erik: Would you be up for implementing this?
Best, -Michael
OK, will do that. Thanks.
Best,
Erik
Am Montag, den 18.06.2018, 15:08 +0100 schrieb Michael Tremer:
Yes, can do. Please see "next".
In the future, you can create an own OpenVPN branch where all those proposed patches are collected to be able to work a little bit independent from me and also to collect patches and submit them in one go.
Best, -Michael
-
Michael Tremer -
Tom Rymes -
ummeegge