I meant to reply to this eariler. ;) On Mon, 10 Oct 2016 17:20:06 -0500 Dennis Gilmore <dennis@xxxxxxxx> wrote: > On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote: > > Greetings. > > > > We have a request ( > > https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl > > cert pinning for ostree deliverables. It's also been a long > > wishlist item to have that for rpm deliverables too. Unfortunately > > there's a bunch of moving parts here that we need to sort out > > before we can move this forward. > > > > First some background/info: > > > > * kojipkgs.fedoraproject.org currently uses a valid digisign cert. > > It needs this because browsers download from it directly, our > > builders download from it directly, etc. > > > > * pkgs/koji currently use certs signed by the Fedora Koji CA (which > > expires in 2024). This is currently needed by koji to do builds > > and the upload cgi for lookaside. > > The koji CA expires in 2018 ok > > * We are hoping to deploy soon a pair of freeipa servers in > > production that get information from fas and allow us to issue > > kerberos tickets. koji can already authenticate via this method. > > > > * There's an outstanding ticket about having a verified way to get > > source: https://pagure.io/fedora-infrastructure/issue/2324 > > > > Questions we need to figure out: > > > > * Are we going to retire/replace the koji CA? My thought was yes, > > but I think Dennis wasn't on board with this. Can anyone who wants > > to save it speak up? :) > I am against kerberos being the only auth mechanism. I suspect that > some people either cant for reasons beyond our control or won't set > up kerberos for auth I'm interested in what these reasons could be. Maintaining 2 authentication stacks is not something we really want to do if we can at all avoid it. And kerberos should be a good deal more secure than certs I would think, and we still don't have a great setup to manage the certs. > > * The upload cgi would need to auth with kerberos and sigul would > > need to auth with kerberos for this to work. > > > > * If we are not completely retiring the koji CA, are we replacing > > it? > If not retired it has to be replaced, could be certs from freeipa > that auto renew with certmonger, which i suspect users would like > better than entering their kerberos password once a day. well, we can adjust the kerberos settings. If they can renew for a week would that be sufficent? > > * Is ostree going to stay distributed at kojipkgs ? Or is it going > > to move somewhere else? we should figure out the final place for it > > before we go setting up cert pinning. > No, it needs to go on the mirrors when we sort out how to mirror it, > and the client and mirrormanager support it Right, so doing some cert pinning right now might be not a great idea if we are just going to move it. > > * The simple way to do pinning is for the application(s) to include > > a hard coded list of valid certs. I guess this would require > > changes in librepo and somewhere in ostree? > > > > * The complex way to do pinning would be to setup > > https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > For this we would need to get backup keys for our cert(s) that are > > used for this and setup webservers to send the right headers. This > > would also need (more complex) changes in librepo and/or > > somewhere in ostree. This would also optionally get us reports of > > violations. > > > > Thoughts? Comments? > > Not against making changes, but I do not think that they totally fit > into long term goals Well, I can definitely see the need for cert pinning and moving to kerberos, but perhaps you can expand on the long term goals that this doesn't address? kevin
Attachment:
pgpbyso4xfuHm.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
