On Fri, 09 Dec 2016 16:51:25 -0500 Colin Walters <walters@xxxxxxxxxx> wrote: > On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote: > > > The various browsers already have our digicert cert hard coded. > > So, if we ever had problems with that cert and had to switch to the > > secondary or tertiary certs, all browser access would be broken. ;( > > > > So, perhaps we should be more targeted here and only do this for > > some particular endpoints? mirrors.fedoraproject.org and > > dl.fedoraproject.org ? That way if we had to fall back to another > > cert only those would be broken for browsers. > > I don't understand this btw - the CA pinning we're talking about > would only be for software mechanisms like dnf/rpm-ostree and > possibly docker/flatpak. Right now for say dnf, it would hit mirrors.fedoraproject.org (for the metalink) and possibly dl.fedoraproject.org (if it happened to get it at the end of the metalink). I was saying instead of pinning our wildcard *.fedoraproject.org cert (which we use for a number of sites / places) we could just get specific non wildcard ones for these sites. However, pondering on it more those would still have to be on the proxies, so I am not sure it would buy us in the end. kevin
Attachment:
pgplLLcOtNovP.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
