Re: another issue to fix with the FAS2 switch: Kojis ssl certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue March 11 2008, Dennis Gilmore wrote:
> On Tuesday 11 March 2008, Till Maas wrote:

> > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88
>
> No,  Because it will break user certs.  To make it work would require that
> users all get entirely new server cert files.  We need to redo our entire

Making the user adjust his koji config for this is afaics unavoidable, except 
when nothing is changed. To make future transitions easier, the ca could be 
bundled into the fedora-packager package, so that the ca is updated 
automatically when needed.

> CA system.  We also need to consider  the ramifications for Secondary
> arches, deploying a new CA  would require each and every Secondary arch to
> purchase a cert from the same CA.  or somebody to purchase a cert that
> covered *.koji.fedoraproject.org from the same CA.

I do not see a reason for this, what does need this? According to the 
pyOpenSSL manual[1] the koji client can load several ca files to authenticate 
the server certificate, because the pem file that is loaded with 
load_client_ca can contain several certificates, e.g. the current one and the 
Equifax one.

Regards,
Till

[1] http://pyopenssl.sourceforge.net/pyOpenSSL.ps

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux