Question about gokey password generation?


espy
 

While testing recent changes to the snap packaging over the past week I've been doing quite a bit of log inspection.

One thing that recently caught my eye was the following WARNING logged by security-secretstore-setup:

level=WARN ts=2020-04-14T00:21:45.156090587Z app=edgex-security-secretstore-setup source=init.go:256 msg="WARNING: The gokey generator is a reference implementation for credential generation and the underlying libraries not been reviewed for cryptographic security. The user is encouraged to perform their own security investigation before deployment."

Have we actually performed a review of the underlying libraries and approved their usage? If so, perhaps we should suppress this log message so as not to raise concern by end-users?

Regards,
/tony

Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.