From f493bb8c50a2dab72113b25b4d8cfa306079274a Mon Sep 17 00:00:00 2001 From: Jake Yip Date: Thu, 7 Jan 2021 12:16:00 +1100 Subject: [PATCH] Obsolete check-identity-04 The [token]/hash_algorithm config option has been deprecated since mitaka[1]. To avoid renumbering, update check-identity-04 to '(Obsolete)'. This keeps numbering compatibilty for people using previous version of the checklist. [1]: https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka Change-Id: I587617f29141a244ca7983300ff4fcebed4255f5 --- security-guide/source/identity/checklist.rst | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/security-guide/source/identity/checklist.rst b/security-guide/source/identity/checklist.rst index 1b6c914b..b6c99c00 100644 --- a/security-guide/source/identity/checklist.rst +++ b/security-guide/source/identity/checklist.rst @@ -83,21 +83,9 @@ you should enable TLS on the HTTP/WSGI server. Recommended in: :doc:`../secure-communication`. -Check-Identity-04: Does Identity use strong hashing algorithms for PKI tokens? +Check-Identity-04: (Obsolete) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -MD5 is a weak and depreciated hashing algorithm. It can be cracked using -brute force attack. Identity tokens are sensitive and need to be -protected with a stronger hashing algorithm to prevent unauthorized -disclosure and subsequent access. - -**Pass:** If value of parameter ``hash_algorithm`` under ``[token]`` -section in ``/etc/keystone/keystone.conf`` is set to SHA256. - -**Fail:** If value of parameter ``hash_algorithm`` under -``[token]``\ section is set to MD5. - -Recommended in: :doc:`tokens`. Check-Identity-05: Is ``max_request_body_size`` set to default (114688)? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~