Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3951
FreeIPA should support ECC algorithms for the CA features in addition to the RSA. This should be preferably be offered out of the box as an option.
A brief overview on the practical impact of choosing between RSA and ECC can be read from for example RFC 4492:
[snip]
Elliptic Curve Cryptography (ECC) is emerging as an attractive
public-key cryptosystem, in particular for mobile (i.e., wireless)
environments. Compared to currently prevalent cryptosystems such as
RSA, ECC offers equivalent security with smaller key sizes. This is
illustrated in the following table, based on [18], which gives
approximate comparable key sizes for symmetric- and asymmetric-key
cryptosystems based on the best-known algorithms for attacking them.
Symmetric | ECC | DH/DSA/RSA
------------+---------+-------------
80 | 163 | 1024
112 | 233 | 2048
128 | 283 | 3072
192 | 409 | 7680
256 | 571 | 15360
Table 1: Comparable Key Sizes (in bits)
Smaller key sizes result in savings for power, memory, bandwidth, and
computational cost that make ECC especially attractive for
constrained environments.
[snip]
Not only more efficient today, ECC will probably withstand the future developments in cryptoanalysis better. Many crypto systems such as SSL/TLS certificates are used to protect important data for long periods of time, at least until the data has lost its value already. For some information this can mean decades.
To counter-balance the projected advancements one of the main mitigation tools used is increasing the key sizes. Alas, this can not be done very far with RSA. Several embedded platforms such as smart cards will start failing to function rapidly as the key sizes increase. For example RSA smart cards will typically start failing at between 3-5 kilobits. ECC algorithms will fare better on limited hardware.
FreeIpa should, to ensure longevity of the product, implement ECC as soon as possible. It is one of the major features that will in the near future start impacting product selection for CA applications.
For upcoming months or more the FreeIPA/IdM team is focusing on stability, testability of FreeIPA/IdM and thus postponing any RFEs or non-critical bugs.