On 9 December 2016 at 16:51, Colin Walters <walters@xxxxxxxxxx> wrote: > On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote: > >> The various browsers already have our digicert cert hard coded. >> So, if we ever had problems with that cert and had to switch to the >> secondary or tertiary certs, all browser access would be broken. ;( >> >> So, perhaps we should be more targeted here and only do this for some >> particular endpoints? mirrors.fedoraproject.org and >> dl.fedoraproject.org ? That way if we had to fall back to another cert >> only those would be broken for browsers. > > I don't understand this btw - the CA pinning we're talking about > would only be for software mechanisms like dnf/rpm-ostree and possibly docker/flatpak. > > I'm certainly not advocating changing any other tools right now, > although one could theroetically consider things like the `bodhi` command > line tools (or possibly changing the underlying shared libraries). I don't think anyone is understanding each other.. because that isn't what I was getting from this thread until now. > _______________________________________________ > infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
