Updating SSL keys on fedorahosted.org
Tim
ignored_mailbox at yahoo.com.au
Wed Feb 9 18:13:27 UTC 2011
On Tue, 2011-02-08 at 13:27 -0700, Stephen Smoogen wrote:
> Various SSL keys are aging out so we will be updating them before anyone
> gets a <This CERT is not valid.> page.
>
> The first server to be updated will be fedorahosted.org.
>
> The old certificate came from Equifax, was a 1024 bit key and had the
> fingerprint:
>
> SHA1 Fingerprint=CC:64:67:BE:90:50:79:ED:23:E8:C1:18:02:AB:AC:83:88:FC:6C:D8
>
> The new certificate is issued by GeoTrust, Inc and is a 4096 bit key
> with the fingerprint:
>
> SHA1 Fingerprint=D1:54:82:77:77:F9:11:DF:E0:B1:14:37:B9:36:E2:09:20:B6:54:1D
>
> Please report any problems with these certificates to
> admin at fedoraproject.org
>
> Stephen Smoogen
> * interim Infrastructure Chief Coffee Officer
Hmm, this email should have included a link to verify what it says
through a SSL secured page, on the current certificates.
Anybody could post a "the new keys are this" message through email as a
hoodwinking exercise, since an email (like that) is hard to properly
verify, in itself (thanks to the nature of how PGP keys are managed in
mail - the honour system).
i.e. gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
At least website certificates ought to have more vetting behind them.
That was a security-based announcement that's somewhat lacking in
security mindedness.
--
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
More information about the users
mailing list