Hi, ...snip... > Questions we need to figure out: > > * Are we going to retire/replace the koji CA? My thought was yes, but I > think Dennis wasn't on board with this. Can anyone who wants to save > it speak up? :) I want to kill this CA. If there's anyone that sees problems with this, talk to me and I'll see how to resolve them, as I have a plan for all the issues I have so far foreseen. > > * The upload cgi would need to auth with kerberos and sigul would need > to auth with kerberos for this to work. Upload CGI is no issue as it uses http auth, so is just configuration. I have a sigul patch for krb support that I'm going to merge soon. > > * If we are not completely retiring the koji CA, are we replacing it? Not if it's up to me. > > * Is ostree going to stay distributed at kojipkgs ? Or is it going to > move somewhere else? we should figure out the final place for it > before we go setting up cert pinning. > > * The simple way to do pinning is for the application(s) to include a > hard coded list of valid certs. I guess this would require changes in > librepo and somewhere in ostree? As far as I know, yum/dnf supports setting a cafile for repos, so we can just update fedora-repos. > > * The complex way to do pinning would be to setup > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > For this we would need to get backup keys for our cert(s) that are > used for this and setup webservers to send the right headers. This > would also need (more complex) changes in librepo and/or somewhere in > ostree. This would also optionally get us reports of violations. I would prefer this, since that means the configuration is server-side and we can phase over to a different CA or something at a later point in time way easier. > > Thoughts? Comments? > > kevin Regards, Patrick Uiterwijk _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
