On Wed, 23 Nov 2016 15:45:55 -0500
Colin Walters <walters(a)verbum.org> wrote:
On Wed, Nov 23, 2016, at 12:10 PM, Kevin Fenzi wrote:
> I suppose thats workable if all the stakeholders agree.
To confirm, are you agreeing with:
> So I'd propose pinning to a 3 set of CAs:
> - Digicert
> - Some other well-regarded CA vendor
> - A Fedora-infra custom CA (doesn't have to be deployed, just a
> backup plan)
You were arguing earlier to pin to just digicert I think (though
I can't find that now).
Yeah. I am not sure the process we will need to use to get some other
CA vendor. RH has a relationship with digicert, so we get our certs via
that. When using another vendor we may have to go through some
red-tape. So, I can't commit for a time when this would be ready.
We could probably move forward with Digicert + 1-2 other
vendors as well. Maybe to be conservative 2. We can easily
add a custom CA to the set as well at any point.
We should make sure that the librepo/dnf folks are on board with this
plan before moving forward. :)