On Mon, 28 Nov 2016 15:32:02 -0500 Colin Walters <walters@xxxxxxxxxx> wrote: > On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote: > > > > Yeah. I am not sure the process we will need to use to get some > > other CA vendor. RH has a relationship with digicert, so we get our > > certs via that. When using another vendor we may have to go through > > some red-tape. So, I can't commit for a time when this would be > > ready. > > OK, can you file the issue/request and link me to it? > > > > We could probably move forward with Digicert + 1-2 other > > > vendors as well. Maybe to be conservative 2. We can easily > > > add a custom CA to the set as well at any point. > > > > We should make sure that the librepo/dnf folks are on board with > > this plan before moving forward. :) > > Sure, I sent Honza and Igor a mail. Hum. I was writing up an email on this, and something occurred to me. The various browsers already have our digicert cert hard coded. So, if we ever had problems with that cert and had to switch to the secondary or tertiary certs, all browser access would be broken. ;( So, perhaps we should be more targeted here and only do this for some particular endpoints? mirrors.fedoraproject.org and dl.fedoraproject.org ? That way if we had to fall back to another cert only those would be broken for browsers. Or should I just not worry too much about it because anything that causes us to switch from the primary cert would likely be a massive blowup anyhow? kevin
Attachment:
pgpOlqPzfwYHq.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
