On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote: > The various browsers already have our digicert cert hard coded. > So, if we ever had problems with that cert and had to switch to the > secondary or tertiary certs, all browser access would be broken. ;( > > So, perhaps we should be more targeted here and only do this for some > particular endpoints? mirrors.fedoraproject.org and > dl.fedoraproject.org ? That way if we had to fall back to another cert > only those would be broken for browsers. I don't understand this btw - the CA pinning we're talking about would only be for software mechanisms like dnf/rpm-ostree and possibly docker/flatpak. I'm certainly not advocating changing any other tools right now, although one could theroetically consider things like the `bodhi` command line tools (or possibly changing the underlying shared libraries). _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
