predefined policies: add BSI (PED-4933)

taroth21 · taroth21 · commit 6d105c142db9 · 2024-03-08T18:04:55.000+01:00
diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
@@ -56,6 +56,26 @@
     </para>
 
     <variablelist>
+      <varlistentry>
+        <term>BSI</term>
+        <listitem>
+          <para>
+            A security policy based on recommendations by the German government
+            agency BSI (Bundesamt fuer Sicherheit in der Informationstechnik,
+            translated as <literal>agency for security in software
+            technology</literal>). The policy is based on the technical
+            recommendation ruleset <literal>TR 02102</literal>. The BSI TR
+            02102 standard is updated in regular intervals. This policy does
+            not allow the use of SHA-1 in signature algorithms (except DNSSEC
+            and RPM). The policy also provides some (not complete) preparation
+            for post-quantum encryption support in form of 256-bit symmetric
+            encryption requirement. The RSA parameters are accepted if larger
+            than 2047 bits, and Diffie-Hellman parameters are accepted if
+            larger than 3071 bits. This policy provides at least 128-bit
+            security, excepting the transition of RSA.
+          </para>
+        </listitem>
+      </varlistentry>
       <varlistentry>
         <term>DEFAULT</term>
         <listitem>
