On Fri, 09 Dec 2016 16:51:25 -0500
Colin Walters wrote:
> On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
>
> > The various browsers already have our digicert cert hard coded.
> > So, if we ever had problems with that cert and had to switch to the
> > secondary or tertiary certs, all brow
On Wed, 14 Dec 2016 09:16:47 -0500
Colin Walters wrote:
> On Tue, Dec 13, 2016, at 10:53 PM, Kevin Fenzi wrote:
> > FYI, I marked this thread to reply to, but I simply have not had
> > time lately with last week on site at the datacenter and this
> > weekend prepping for the flag day and this wee
On Tue, 06 Dec 2016 17:14:48 -0500
Colin Walters wrote:
> On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
> >
> > The various browsers already have our digicert cert hard coded.
>
> Hum, really? Reference?
>
> $ pwd
> /home/walters/src/github/mozilla/gecko-dev
> $ git rev-parse HEAD
>
On Tue, Dec 13, 2016, at 10:53 PM, Kevin Fenzi wrote:
> FYI, I marked this thread to reply to, but I simply have not had time
> lately with last week on site at the datacenter and this weekend
> prepping for the flag day and this week helping people with fallout
> from the flag day.
>
> I'll try
FYI, I marked this thread to reply to, but I simply have not had time
lately with last week on site at the datacenter and this weekend
prepping for the flag day and this week helping people with fallout
from the flag day.
I'll try and get back to this this week, but please have some patience.
k
On Tue, Dec 13, 2016, at 01:49 PM, Stephen John Smoogen wrote:
> So the parts I think I am seeing different answers are:
> 1. What are we trying to accomplish and where?
> 2. What infrastructure is needed to accomplish this?
I think this stuff is pretty well covered in the thread and should
be ha
On 13 December 2016 at 12:37, Colin Walters wrote:
>
>
> On Fri, Dec 9, 2016, at 05:38 PM, Stephen John Smoogen wrote:
>
>> I don't think anyone is understanding each other.. because that isn't
>> what I was getting from this thread until now.
>
> The thread has been 95% just me and Kevin on and o
On Fri, Dec 9, 2016, at 05:38 PM, Stephen John Smoogen wrote:
> I don't think anyone is understanding each other.. because that isn't
> what I was getting from this thread until now.
The thread has been 95% just me and Kevin on and off over the last 6
months. I asked him for clarification. No
On 9 December 2016 at 16:51, Colin Walters wrote:
> On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
>
>> The various browsers already have our digicert cert hard coded.
>> So, if we ever had problems with that cert and had to switch to the
>> secondary or tertiary certs, all browser access w
On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
> The various browsers already have our digicert cert hard coded.
> So, if we ever had problems with that cert and had to switch to the
> secondary or tertiary certs, all browser access would be broken. ;(
>
> So, perhaps we should be more t
On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
>
> The various browsers already have our digicert cert hard coded.
Hum, really? Reference?
$ pwd
/home/walters/src/github/mozilla/gecko-dev
$ git rev-parse HEAD
a8b5f53e7df90df655a0982e94087ee83290c22e
$ git grep fedoraproject.org
Shows me
On Mon, 28 Nov 2016 15:32:02 -0500
Colin Walters wrote:
> On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote:
> >
> > Yeah. I am not sure the process we will need to use to get some
> > other CA vendor. RH has a relationship with digicert, so we get our
> > certs via that. When using another ve
On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote:
>
> Yeah. I am not sure the process we will need to use to get some other
> CA vendor. RH has a relationship with digicert, so we get our certs via
> that. When using another vendor we may have to go through some
> red-tape. So, I can't commit
On Wed, 23 Nov 2016 15:45:55 -0500
Colin Walters wrote:
> On Wed, Nov 23, 2016, at 12:10 PM, Kevin Fenzi wrote:
>
> > I suppose thats workable if all the stakeholders agree.
>
> To confirm, are you agreeing with:
>
> > So I'd propose pinning to a 3 set of CAs:
> >
> > - Digicert
> > - So
On 10/13/2016 09:34 PM, Kevin Fenzi wrote:
>>> * If we are not completely retiring the koji CA, are we replacing
>>> it?
>> If not retired it has to be replaced, could be certs from freeipa
>> that auto renew with certmonger, which i suspect users would like
>> better than entering their kerbero
On Wed, Nov 23, 2016, at 12:10 PM, Kevin Fenzi wrote:
> I suppose thats workable if all the stakeholders agree.
To confirm, are you agreeing with:
> So I'd propose pinning to a 3 set of CAs:
>
> - Digicert
> - Some other well-regarded CA vendor
> - A Fedora-infra custom CA (doesn't have to
On Mon, 21 Nov 2016 10:16:55 -0500
Colin Walters wrote:
> On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote:
> >
> > Anyways, there's a higher level question here - you're arguing
> > for pinning to Digicert rather than a custom CA. That seems good
> > enough, but I think we need a recovery
On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote:
>
> Anyways, there's a higher level question here - you're arguing
> for pinning to Digicert rather than a custom CA. That seems good
> enough, but I think we need a recovery mechanism in case Digicert
> explodes.
>
> So I'd propose pinning
On jueves, 13 de octubre de 2016 1:34:42 PM CDT Kevin Fenzi wrote:
> I meant to reply to this eariler. ;)
I just now saw the reply :(
> On Mon, 10 Oct 2016 17:20:06 -0500
>
> Dennis Gilmore wrote:
> > On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote:
> > > Greetings.
> > >
> > > We
On Wed, Oct 12, 2016, at 03:17 PM, Kevin Fenzi wrote:
> Sure, but they won't. They will complain that we have an invalid cert
> and we will need to explain to them whats going on. ;)
I still think this would be mostly covered if the yum repo files
and the ostree remote config had a comment like:
I meant to reply to this eariler. ;)
On Mon, 10 Oct 2016 17:20:06 -0500
Dennis Gilmore wrote:
> On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote:
> > Greetings.
> >
> > We have a request (
> > https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl
> > cert pinning for o
On Tue, 11 Oct 2016 14:31:55 -0400
Colin Walters wrote:
> On Mon, Oct 10, 2016, at 01:58 PM, Kevin Fenzi wrote:
> >
> > But does that not mean anyone going to the same place with a
> > browser or command line downloading specific packages will get a
> > "sorry, this cert is not trusted" ? Thats
On Mon, Oct 10, 2016, at 01:58 PM, Kevin Fenzi wrote:
>
> But does that not mean anyone going to the same place with a browser or
> command line downloading specific packages will get a "sorry, this cert
> is not trusted" ? Thats not such a big deal for ostree's, but for rpms,
> people do this a
On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote:
> Greetings.
>
> We have a request (
> https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert
> pinning for ostree deliverables. It's also been a long wishlist item
> to have that for rpm deliverables too. Unfortunately
On Mon, 10 Oct 2016 13:16:23 -0400
Colin Walters wrote:
> On Mon, Oct 10, 2016, at 01:04 PM, Kevin Fenzi wrote:
> > On Mon, 10 Oct 2016 16:57:25 +
> > Patrick Uiterwijk wrote:
> >
> > ...snip...
> >
> > > As far as I know, yum/dnf supports setting a cafile for repos, so
> > > we can just
On Mon, Oct 10, 2016, at 01:04 PM, Kevin Fenzi wrote:
> On Mon, 10 Oct 2016 16:57:25 +
> Patrick Uiterwijk wrote:
>
> ...snip...
>
> > As far as I know, yum/dnf supports setting a cafile for repos, so we
> > can just update fedora-repos.
>
> That doesn't help. If we are using a well known
On Mon, 10 Oct 2016 16:57:25 +
Patrick Uiterwijk wrote:
...snip...
> As far as I know, yum/dnf supports setting a cafile for repos, so we
> can just update fedora-repos.
That doesn't help. If we are using a well known cert, it's already
valid based on the system ca's, and IMHO it would be v
Hi,
...snip...
> Questions we need to figure out:
>
> * Are we going to retire/replace the koji CA? My thought was yes, but I
> think Dennis wasn't on board with this. Can anyone who wants to save
> it speak up? :)
I want to kill this CA. If there's anyone that sees problems with this, talk
Greetings.
We have a request (
https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert
pinning for ostree deliverables. It's also been a long wishlist item
to have that for rpm deliverables too. Unfortunately there's a bunch of
moving parts here that we need to sort out before we
29 matches
Mail list logo