Questions we need to figure out:
* Are we going to retire/replace the koji CA? My thought was yes, but I
think Dennis wasn't on board with this. Can anyone who wants to save
it speak up? :)
I want to kill this CA. If there's anyone that sees problems with this, talk to
me and I'll see how to resolve them, as I have a plan for all the issues I
have so far foreseen.
* The upload cgi would need to auth with kerberos and sigul would need
to auth with kerberos for this to work.
Upload CGI is no issue as it uses http auth, so is just configuration.
I have a sigul patch for krb support that I'm going to merge soon.
* If we are not completely retiring the koji CA, are we replacing it?
Not if it's up to me.
* Is ostree going to stay distributed at kojipkgs ? Or is it going to
move somewhere else? we should figure out the final place for it
before we go setting up cert pinning.
* The simple way to do pinning is for the application(s) to include a
hard coded list of valid certs. I guess this would require changes in
librepo and somewhere in ostree?
As far as I know, yum/dnf supports setting a cafile for repos, so we
can just update fedora-repos.
* The complex way to do pinning would be to setup
For this we would need to get backup keys for our cert(s) that are
used for this and setup webservers to send the right headers. This
would also need (more complex) changes in librepo and/or somewhere in
ostree. This would also optionally get us reports of violations.
I would prefer this, since that means the configuration is server-side and we
can phase over to a different CA or something at a later point in time way