On Mon, 10 Oct 2016 16:57:25 +0000 Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> wrote: ...snip... > As far as I know, yum/dnf supports setting a cafile for repos, so we > can just update fedora-repos. That doesn't help. If we are using a well known cert, it's already valid based on the system ca's, and IMHO it would be very poor to use a self signed cert for this. So, either librepo carries a static list for our base repos or we add support for HPKP. > > * The complex way to do pinning would be to setup > > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > For this we would need to get backup keys for our cert(s) that are > > used for this and setup webservers to send the right headers. This > > would also need (more complex) changes in librepo and/or > > somewhere in ostree. This would also optionally get us reports of > > violations. > > I would prefer this, since that means the configuration is > server-side and we can phase over to a different CA or something at a > later point in time way easier. Still will need HPKP support in the clients... but yeah, it has advantages. kevin
Attachment:
pgpclSKZ1ixgb.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
