Re: Cert penning, Certs and related

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:

> The various browsers already have our digicert cert hard coded. 
> So, if we ever had problems with that cert and had to switch to the
> secondary or tertiary certs, all browser access would be broken. ;( 
> 
> So, perhaps we should be more targeted here and only do this for some
> particular endpoints? mirrors.fedoraproject.org and
> dl.fedoraproject.org ? That way if we had to fall back to another cert
> only those would be broken for browsers. 

I don't understand this btw - the CA pinning we're talking about
would only be for software mechanisms like dnf/rpm-ostree and possibly docker/flatpak.

I'm certainly not advocating changing any other tools right now,
although one could theroetically consider things like the `bodhi` command
line tools (or possibly changing the underlying shared libraries).
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux