On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote: > Greetings. > > We have a request ( > https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert > pinning for ostree deliverables. It's also been a long wishlist item > to have that for rpm deliverables too. Unfortunately there's a bunch of > moving parts here that we need to sort out before we can move this > forward. > > First some background/info: > > * kojipkgs.fedoraproject.org currently uses a valid digisign cert. It > needs this because browsers download from it directly, our builders > download from it directly, etc. > > * pkgs/koji currently use certs signed by the Fedora Koji CA (which > expires in 2024). This is currently needed by koji to do builds and > the upload cgi for lookaside. The koji CA expires in 2018 > * We are hoping to deploy soon a pair of freeipa servers in production > that get information from fas and allow us to issue kerberos tickets. > koji can already authenticate via this method. > > * There's an outstanding ticket about having a verified way to get > source: https://pagure.io/fedora-infrastructure/issue/2324 > > Questions we need to figure out: > > * Are we going to retire/replace the koji CA? My thought was yes, but I > think Dennis wasn't on board with this. Can anyone who wants to save > it speak up? :) I am against kerberos being the only auth mechanism. I suspect that some people either cant for reasons beyond our control or won't set up kerberos for auth > * The upload cgi would need to auth with kerberos and sigul would need > to auth with kerberos for this to work. > > * If we are not completely retiring the koji CA, are we replacing it? If not retired it has to be replaced, could be certs from freeipa that auto renew with certmonger, which i suspect users would like better than entering their kerberos password once a day. > * Is ostree going to stay distributed at kojipkgs ? Or is it going to > move somewhere else? we should figure out the final place for it > before we go setting up cert pinning. No, it needs to go on the mirrors when we sort out how to mirror it, and the client and mirrormanager support it > * The simple way to do pinning is for the application(s) to include a > hard coded list of valid certs. I guess this would require changes in > librepo and somewhere in ostree? > > * The complex way to do pinning would be to setup > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > For this we would need to get backup keys for our cert(s) that are > used for this and setup webservers to send the right headers. This > would also need (more complex) changes in librepo and/or somewhere in > ostree. This would also optionally get us reports of violations. > > Thoughts? Comments? Not against making changes, but I do not think that they totally fit into long term goals Dennis > kevin
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
