On Fri, 09 Dec 2016 16:51:25 -0500
Colin Walters <walters(a)verbum.org> wrote:
On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
> The various browsers already have our digicert cert hard coded.
> So, if we ever had problems with that cert and had to switch to the
> secondary or tertiary certs, all browser access would be broken. ;(
> So, perhaps we should be more targeted here and only do this for
> some particular endpoints? mirrors.fedoraproject.org
? That way if we had to fall back to another
> cert only those would be broken for browsers.
I don't understand this btw - the CA pinning we're talking about
would only be for software mechanisms like dnf/rpm-ostree and
Right now for say dnf, it would hit mirrors.fedoraproject.org
metalink) and possibly dl.fedoraproject.org
(if it happened to get it
at the end of the metalink). I was saying instead of pinning our
wildcard *.fedoraproject.org cert (which we use for a number of sites /
places) we could just get specific non wildcard ones for these sites.
However, pondering on it more those would still have to be on the
proxies, so I am not sure it would buy us in the end.