Re: Cert penning, Certs and related

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 28 Nov 2016 15:32:02 -0500
Colin Walters <walters@xxxxxxxxxx> wrote:

> On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote:
> >
> > Yeah. I am not sure the process we will need to use to get some
> > other CA vendor. RH has a relationship with digicert, so we get our
> > certs via that. When using another vendor we may have to go through
> > some red-tape. So, I can't commit for a time when this would be
> > ready.   
> 
> OK, can you file the issue/request and link me to it?
>  
> > > We could probably move forward with Digicert + 1-2 other
> > > vendors as well.  Maybe to be conservative 2.  We can easily
> > > add a custom CA to the set as well at any point.  
> > 
> > We should make sure that the librepo/dnf folks are on board with
> > this plan before moving forward. :)   
> 
> Sure, I sent Honza and Igor a mail.

Hum. I was writing up an email on this, and something occurred to me. 

The various browsers already have our digicert cert hard coded. 
So, if we ever had problems with that cert and had to switch to the
secondary or tertiary certs, all browser access would be broken. ;( 

So, perhaps we should be more targeted here and only do this for some
particular endpoints? mirrors.fedoraproject.org and
dl.fedoraproject.org ? That way if we had to fall back to another cert
only those would be broken for browsers. 

Or should I just not worry too much about it because anything that
causes us to switch from the primary cert would likely be a massive
blowup anyhow?

kevin

Attachment: pgpOlqPzfwYHq.pgp
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux