Re: Updating SSL keys on fedorahosted.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/09/2011 01:13 PM, Tim wrote:
> On Tue, 2011-02-08 at 13:27 -0700, Stephen Smoogen wrote:
>> Various SSL keys are aging out so we will be updating them before anyone
>> gets a <This CERT is not valid.> page.
>>
>> The first server to be updated will be fedorahosted.org.
>>
>> The old certificate came from Equifax, was a 1024 bit key and had the
>> fingerprint:
>>
>> SHA1 Fingerprint=CC:64:67:BE:90:50:79:ED:23:E8:C1:18:02:AB:AC:83:88:FC:6C:D8
>>
>> The new certificate is issued by GeoTrust, Inc and is a 4096 bit key
>> with the fingerprint:
>>
>> SHA1 Fingerprint=D1:54:82:77:77:F9:11:DF:E0:B1:14:37:B9:36:E2:09:20:B6:54:1D
>>
>> Please report any problems with these certificates to
>> admin@xxxxxxxxxxxxxxxxx
>>
>> Stephen Smoogen
>> * interim Infrastructure Chief Coffee Officer
> 
> Hmm, this email should have included a link to verify what it says
> through a SSL secured page, on the current certificates.
> 
> Anybody could post a "the new keys are this" message through email as a
> hoodwinking exercise, since an email (like that) is hard to properly
> verify, in itself (thanks to the nature of how PGP keys are managed in
> mail - the honour system).
> 
> i.e. gpg: WARNING: This key is not certified with a trusted signature!
>      gpg:          There is no indication that the signature belongs to the owner.
> 
> At least website certificates ought to have more vetting behind them.
> 
> That was a security-based announcement that's somewhat lacking in
> security mindedness.
> 

Not really. It would be one thing if it was a private certificate, but
these are signed off by well-known and trusted certificate authorities.
So this is really just a heads-up that a change is coming (and a notice
that the key size has been increased to 4k). Including the fingerprint
isn't necessary for security (unless you've removed GeoTrust manually
from your list of trusted authorities).

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1URVAACgkQeiVVYja6o6MM+wCfX/eiLSu8k0KLTdHhgxI1HhnC
+9EAniDwtaBVbl05rz5sR1d4FIs4tpR2
=QDgf
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux