Cert penning, Certs and related

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings. 

We have a request ( 
https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert
pinning for ostree deliverables. It's also been a long wishlist item
to have that for rpm deliverables too. Unfortunately there's a bunch of
moving parts here that we need to sort out before we can move this
forward. 

First some background/info: 

* kojipkgs.fedoraproject.org currently uses a valid digisign cert. It
  needs this because browsers download from it directly, our builders
  download from it directly, etc. 

* pkgs/koji currently use certs signed by the Fedora Koji CA (which
  expires in 2024). This is currently needed by koji to do builds and
  the upload cgi for lookaside. 

* We are hoping to deploy soon a pair of freeipa servers in production
  that get information from fas and allow us to issue kerberos tickets.
  koji can already authenticate via this method. 

* There's an outstanding ticket about having a verified way to get
  source: https://pagure.io/fedora-infrastructure/issue/2324

Questions we need to figure out: 

* Are we going to retire/replace the koji CA? My thought was yes, but I
  think Dennis wasn't on board with this. Can anyone who wants to save
  it speak up? :)

* The upload cgi would need to auth with kerberos and sigul would need
  to auth with kerberos for this to work. 

* If we are not completely retiring the koji CA, are we replacing it? 

* Is ostree going to stay distributed at kojipkgs ? Or is it going to
  move somewhere else? we should figure out the final place for it
  before we go setting up cert pinning. 

* The simple way to do pinning is for the application(s) to include a
  hard coded list of valid certs. I guess this would require changes in
  librepo and somewhere in ostree? 

* The complex way to do pinning would be to setup
  https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
  For this we would need to get backup keys for our cert(s) that are
  used for this and setup webservers to send the right headers. This
  would also need (more complex) changes in librepo and/or somewhere in
  ostree. This would also optionally get us reports of violations. 

Thoughts? Comments? 

kevin

Attachment: pgpJkP9wmuF20.pgp
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux