On Mon, 28 Nov 2016 15:32:02 -0500
Colin Walters <walters(a)verbum.org> wrote:
On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote:
> Yeah. I am not sure the process we will need to use to get some
> other CA vendor. RH has a relationship with digicert, so we get our
> certs via that. When using another vendor we may have to go through
> some red-tape. So, I can't commit for a time when this would be
OK, can you file the issue/request and link me to it?
> > We could probably move forward with Digicert + 1-2 other
> > vendors as well. Maybe to be conservative 2. We can easily
> > add a custom CA to the set as well at any point.
> We should make sure that the librepo/dnf folks are on board with
> this plan before moving forward. :)
Sure, I sent Honza and Igor a mail.
Hum. I was writing up an email on this, and something occurred to me.
The various browsers already have our digicert cert hard coded.
So, if we ever had problems with that cert and had to switch to the
secondary or tertiary certs, all browser access would be broken. ;(
So, perhaps we should be more targeted here and only do this for some
particular endpoints? mirrors.fedoraproject.org
? That way if we had to fall back to another cert
only those would be broken for browsers.
Or should I just not worry too much about it because anything that
causes us to switch from the primary cert would likely be a massive