On Tue, 11 Mar 2008, Dennis Gilmore wrote: > On Tuesday 11 March 2008, Till Maas wrote: > > On Tue March 11 2008, Dennis Gilmore wrote: > > > On Tuesday 11 March 2008, Till Maas wrote: > > > > Hiyas, > > > > > > > > now that everyone needs to change his password, can we now also deploy > > > > the new certifcate for koji? This will make it possible to verify > > > > whether or not one can trust the certificate for koji and the ticket[1] > > > > is now 7 months old, i.e. about a full Fedora release cycle. Therefore > > > > I guess there won't be a better time than now. > > > > > > > > Regards, > > > > Till > > > > > > > > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88 > > > > > > No, Because it will break user certs. To make it work would require > > > that users all get entirely new server cert files. We need to redo our > > > entire CA system. We also need to consider the ramifications for > > > Secondary arches, deploying a new CA would require each and every > > > Secondary arch to purchase a cert from the same CA. or somebody to > > > purchase a cert that covered *.koji.fedoraproject.org from the same CA. > > > > > > we are looking at deploying the hub on a separate box from the frontend > > > which would allow us to do what you are wanting but would not look after > > > secondary arches. > > > > How about making the hub (I assume this is only used by automated processes > > and not manually) listen on a different port than 443? Then the web > > interface could use the new well know certificate. The automated processes > > the internal ones, where imho using a own ca does not hurt. Also using a > > different port should be only a matter of configuring it once. > > The secondary arch instances could then use a cacert[0] certificate, which > > are free and are trusted by some browsers already for the web interface. > > if we use CACert we would have ship it in the browsers we supply. currently > no browser shipped with fedora does and if we did such we would use it for > all services. and would require changes to all users koji configs. people > who are not using fedora would be in the same situation as they are now. > AFAIK only CentOS ships browsers with CACerts root cert. > Side note about this, I'm pretty sure if we do it we can't call "firefox" "firefox" anymore. -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
