On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
The various browsers already have our digicert cert hard coded.
So, if we ever had problems with that cert and had to switch to the
secondary or tertiary certs, all browser access would be broken. ;(
So, perhaps we should be more targeted here and only do this for some
particular endpoints? mirrors.fedoraproject.org
? That way if we had to fall back to another cert
only those would be broken for browsers.
I don't understand this btw - the CA pinning we're talking about
would only be for software mechanisms like dnf/rpm-ostree and possibly docker/flatpak.
I'm certainly not advocating changing any other tools right now,
although one could theroetically consider things like the `bodhi` command
line tools (or possibly changing the underlying shared libraries).