Re: Cert penning, Certs and related

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 21 Nov 2016 10:16:55 -0500
Colin Walters <walters@xxxxxxxxxx> wrote:

> On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote:
> >
> > Anyways, there's a higher level question here - you're arguing
> > for pinning to Digicert rather than a custom CA.  That seems good
> > enough, but I think we need a recovery mechanism in case Digicert
> > explodes.
> > 
> > So I'd propose pinning to a 3 set of CAs:
> > 
> >  - Digicert
> >  - Some other well-regarded CA vendor
> >  - A Fedora-infra custom CA (doesn't have to be deployed, just a
> > backup plan)  
> 
> Any further thoughts here?
> 
> > And as for a specific implementation mechanism, we'd have just
> > those CAs in /etc/pki/tls/certs/fedora-infra.crt or so, and that
> > file would be in the fedora-repos package.  The argument for this
> > again is that librepo and ostree already have all of the code for
> > this, and so does curl etc.

I suppose thats workable if all the stakeholders agree. 

So, we would need: 

1. certs in fedora-repos package 
2. librepo would need changes to know to check those. 
3. ostree would need changes to know to check those. 

I've not heard from librepo folks, should we ask them before moving
forward here? fedora-repos would need ack from Dennis (who is currently
on vacation), but I don't think that should be a problem. 

kevin

Attachment: pgpHk8QAY5ndw.pgp
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux