From 9484ecc2d6573b3781993ef4a81b3000ed20978e Mon Sep 17 00:00:00 2001
From: Tanja Roth <taroth@suse.com>
Date: Fri, 8 Mar 2024 17:33:07 +0100
Subject: [PATCH] predefined policies: add BSI (PED-4933)

---
 xml/security_cryptopolicy.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/xml/security_cryptopolicy.xml b/xml/security_cryptopolicy.xml
index 136413b460..7fdcb19112 100644
--- a/xml/security_cryptopolicy.xml
+++ b/xml/security_cryptopolicy.xml
@@ -56,6 +56,26 @@
     </para>
 
     <variablelist>
+      <varlistentry>
+        <term>BSI</term>
+        <listitem>
+          <para>
+            A security policy based on recommendations by the German government
+            agency BSI (Bundesamt fuer Sicherheit in der Informationstechnik,
+            translated as <literal>agency for security in software
+            technology</literal>). The policy is based on the technical
+            recommendation ruleset <literal>TR 02102</literal>. The BSI TR
+            02102 standard is updated in regular intervals. This policy does
+            not allow the use of SHA-1 in signature algorithms (except DNSSEC
+            and RPM). The policy also provides some (not complete) preparation
+            for post-quantum encryption support in form of 256-bit symmetric
+            encryption requirement. The RSA parameters are accepted if larger
+            than 2047 bits, and Diffie-Hellman parameters are accepted if
+            larger than 3071 bits. This policy provides at least 128-bit
+            security, excepting the transition of RSA.
+          </para>
+        </listitem>
+      </varlistentry>
       <varlistentry>
         <term>DEFAULT</term>
         <listitem>