Greetings. We have a request ( https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert pinning for ostree deliverables. It's also been a long wishlist item to have that for rpm deliverables too. Unfortunately there's a bunch of moving parts here that we need to sort out before we can move this forward. First some background/info: * kojipkgs.fedoraproject.org currently uses a valid digisign cert. It needs this because browsers download from it directly, our builders download from it directly, etc. * pkgs/koji currently use certs signed by the Fedora Koji CA (which expires in 2024). This is currently needed by koji to do builds and the upload cgi for lookaside. * We are hoping to deploy soon a pair of freeipa servers in production that get information from fas and allow us to issue kerberos tickets. koji can already authenticate via this method. * There's an outstanding ticket about having a verified way to get source: https://pagure.io/fedora-infrastructure/issue/2324 Questions we need to figure out: * Are we going to retire/replace the koji CA? My thought was yes, but I think Dennis wasn't on board with this. Can anyone who wants to save it speak up? :) * The upload cgi would need to auth with kerberos and sigul would need to auth with kerberos for this to work. * If we are not completely retiring the koji CA, are we replacing it? * Is ostree going to stay distributed at kojipkgs ? Or is it going to move somewhere else? we should figure out the final place for it before we go setting up cert pinning. * The simple way to do pinning is for the application(s) to include a hard coded list of valid certs. I guess this would require changes in librepo and somewhere in ostree? * The complex way to do pinning would be to setup https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning For this we would need to get backup keys for our cert(s) that are used for this and setup webservers to send the right headers. This would also need (more complex) changes in librepo and/or somewhere in ostree. This would also optionally get us reports of violations. Thoughts? Comments? kevin
Attachment:
pgpJkP9wmuF20.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
