On 9 December 2016 at 16:51, Colin Walters <walters(a)verbum.org> wrote:
On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
> The various browsers already have our digicert cert hard coded.
> So, if we ever had problems with that cert and had to switch to the
> secondary or tertiary certs, all browser access would be broken. ;(
> So, perhaps we should be more targeted here and only do this for some
> particular endpoints? mirrors.fedoraproject.org
? That way if we had to fall back to another cert
> only those would be broken for browsers.
I don't understand this btw - the CA pinning we're talking about
would only be for software mechanisms like dnf/rpm-ostree and possibly docker/flatpak.
I'm certainly not advocating changing any other tools right now,
although one could theroetically consider things like the `bodhi` command
line tools (or possibly changing the underlying shared libraries).
I don't think anyone is understanding each other.. because that isn't
what I was getting from this thread until now.
infrastructure mailing list -- infrastructure(a)lists.fedoraproject.org
To unsubscribe send an email to infrastructure-leave(a)lists.fedoraproject.org
Stephen J Smoogen.