Comments (10)
konklone
commented on July 2, 2024
I can't find the material in the linked PDF in this repository. Where are you drawing it from?
from fpki-guides.
konklone
commented on July 2, 2024
Also, some of it looks quite dated:
Which cryptographic algorithms and key sizes should I use to sign my device
certificates?
...
Where agencies issue one-year device certificates, the FPKIPA recommends generation
of digital signatures using RSA (1024 or 2048 bits) and the SHA-1 hash algorithm
through December 31, 2009. The FPKIPA recommends generation of digital signatures
using RSA (2048 bits) and the SHA-256 hash algorithm on one-year device certificates
issued on or after January 1, 2010.
from fpki-guides.
lachellel
commented on July 2, 2024
it's not in the repo - @ajones13 wants to add it to the repo somewhere...specific to fpki
so we can remove the PDF documents entirely
It's definitely dated which is why we're trying to "clean house"! 👍
from fpki-guides.
konklone
commented on July 2, 2024
Ah okay, I misread the intent -- I thought @ajones13 was saying they'd made a PDF version of this repository. Apologies for the distraction.
from fpki-guides.
lachellel
commented on July 2, 2024
#19 duplicate
from fpki-guides.
weirdscience
commented on July 2, 2024
Should this issue be closed?
If USG is establishing a public NPE root, best practices would be for internally operated CAs. Is there a playbook that can be published?
from fpki-guides.
konklone
commented on July 2, 2024
If USG is establishing a public NPE root, best practices would be for internally operated CAs.
I wouldn't say that, since I don't expect the USG root to be mandated or used universally. And even for those who do use a new NPE root, how they choose to obtain those certificates (automated vs manual) is of some relevance.
I've tried to include some guidance here: https://https.cio.gov/certificates/ Though it touches on some topics beyond best practices for device certificates.
from fpki-guides.
lachellel
commented on July 2, 2024
There are two different use cases:
- Public Trust SSL
- Network (intranet) devices which include many more endpoints and non-http protocols and devices
So you're right eric - we should link to the https.cio.gov site for the web pki best practices as this also includes configuration best practices. For internal only locally trusted CAs, the only playbook we've put together is reusing one from DHS (that I send out / not posted) and a very short writeup for setting up a CA for domain controller certs (network auth).
from fpki-guides.
weirdscience
commented on July 2, 2024
Do we need an NPE guide?
PIV Guide Scope - Everything needed to setup and use PIV logically.
FPKI Guide Scope - Everything that happens above PIV and software certs(?)
New Device Guide Scope(?) - Everything devices(?). This might just be a pointer to the M-15-13 guidance, NIST 800-52, and maybe NCCOE TLS project.
from fpki-guides.
weirdscience
commented on July 2, 2024
I'll transfer comments to #19 and close this issue.
from fpki-guides.
Related Issues (20)
- System Notification for: Federal Bridge CA G4 (Intent to issue to Entrust Managed Services NFI Root CA) HOT 1
- System Notification for: WidePoint Federal Shared Service Provider (Intent to deploy a new CA) HOT 1
- System Notification for: Federal Bridge CA G4 (Intent to issue to SAFE) HOT 2
- System Notification for: Treasury (decommission US Treasury Public CA) HOT 3
- System Notification for: Federal Bridge CA G4 (Intent to issue to USPTO) HOT 2
- Editorial Updates from the FPKIMA HOT 2
- Federal Common CA playbook - one minor nit (FAQs) HOT 3
- Update: PIV CAs and Agencies (FTC) HOT 1
- System Notification for: Entrust SSP CA and Entrust NFI CA (issuing CAs) - URI change HOT 2
- System Notification for: Federal Bridge CA G4 (Intent to Revoke USPTO_INTR_CA1) HOT 1
- System Notification for: SAFE Identity Bridge CA HOT 1
- System Notification for: Federal Common Policy CA G2 (multiple certificates issued) HOT 1
- FBCA2016 P7C appears corrupted HOT 3
- System Notification for: TSCP SHA256 Bridge CA (intent to issue to Alexion Pharmaceuticals Issue 2 CA) HOT 1
- System Notification for: WidePoint Non-Federal Issuer (Intent to deploy a new CA) HOT 3
- macOS Outlook - (signing) certificate is not standards compliant HOT 5
- Agency Contribution to Federal Common Policy CA Migration Playbook (distributing root certificate on RHEL/CentOS/OEL)
- System Notification for: CertiPath Bridge (intent to issue) HOT 1
- System Notification for: DoD Root CA 3 (new certificate detected)
- System Notification for: Federal Common Policy CA (intent to revoke CA certificates) HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fpki-guides.