On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote: > > Anyways, there's a higher level question here - you're arguing > for pinning to Digicert rather than a custom CA. That seems good > enough, but I think we need a recovery mechanism in case Digicert > explodes. > > So I'd propose pinning to a 3 set of CAs: > > - Digicert > - Some other well-regarded CA vendor > - A Fedora-infra custom CA (doesn't have to be deployed, just a backup plan) Any further thoughts here? > And as for a specific implementation mechanism, we'd have just > those CAs in /etc/pki/tls/certs/fedora-infra.crt or so, and that file > would be in the fedora-repos package. The argument for this again > is that librepo and ostree already have all of the code for this, and so does curl etc. > > Doing the hashes of the certs like Firefox does is certainly possible, > but it requires custom logic in the HTTP layer, and there's no > standard configuration file formats for the data, etc. > > > Also in the same file chom*/firefox set a list of sites to assume ssl, > > which would also be nice to hard code. > > Yeah, we could follow up with this adding Fedora sites to the browser > lists. Chrome's version seems saner to me. _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
