Re: Cert penning, Certs and related

On Fri, 09 Dec 2016 16:51:25 -0500 Colin Walters wrote: > On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote: > > > The various browsers already have our digicert cert hard coded. > > So, if we ever had problems with that cert and had to switch to the > > secondary or

Re: Cert penning, Certs and related

On Wed, 14 Dec 2016 09:16:47 -0500 Colin Walters wrote: > On Tue, Dec 13, 2016, at 10:53 PM, Kevin Fenzi wrote: > > FYI, I marked this thread to reply to, but I simply have not had > > time lately with last week on site at the datacenter and this > > weekend prepping for the

Re: Cert penning, Certs and related

On Tue, 06 Dec 2016 17:14:48 -0500 Colin Walters wrote: > On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote: > > > > The various browsers already have our digicert cert hard coded. > > Hum, really? Reference? > > $ pwd > /home/walters/src/github/mozilla/gecko-dev > $

Re: Cert penning, Certs and related

FYI, I marked this thread to reply to, but I simply have not had time lately with last week on site at the datacenter and this weekend prepping for the flag day and this week helping people with fallout from the flag day. I'll try and get back to this this week, but please have some patience.

Re: Cert penning, Certs and related

On Tue, Dec 13, 2016, at 01:49 PM, Stephen John Smoogen wrote: > So the parts I think I am seeing different answers are: > 1. What are we trying to accomplish and where? > 2. What infrastructure is needed to accomplish this? I think this stuff is pretty well covered in the thread and should be

Re: Cert penning, Certs and related

On 13 December 2016 at 12:37, Colin Walters wrote: > > > On Fri, Dec 9, 2016, at 05:38 PM, Stephen John Smoogen wrote: > >> I don't think anyone is understanding each other.. because that isn't >> what I was getting from this thread until now. > > The thread has been 95% just

Re: Cert penning, Certs and related

On Fri, Dec 9, 2016, at 05:38 PM, Stephen John Smoogen wrote: > I don't think anyone is understanding each other.. because that isn't > what I was getting from this thread until now. The thread has been 95% just me and Kevin on and off over the last 6 months. I asked him for clarification.

Re: Cert penning, Certs and related

On 9 December 2016 at 16:51, Colin Walters wrote: > On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote: > >> The various browsers already have our digicert cert hard coded. >> So, if we ever had problems with that cert and had to switch to the >> secondary or tertiary certs,

Re: Cert penning, Certs and related

On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote: > The various browsers already have our digicert cert hard coded. > So, if we ever had problems with that cert and had to switch to the > secondary or tertiary certs, all browser access would be broken. ;( > > So, perhaps we should be more

Re: Cert penning, Certs and related

On Mon, 28 Nov 2016 15:32:02 -0500 Colin Walters wrote: > On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote: > > > > Yeah. I am not sure the process we will need to use to get some > > other CA vendor. RH has a relationship with digicert, so we get our > > certs via that.

Re: Cert penning, Certs and related

On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote: > > Yeah. I am not sure the process we will need to use to get some other > CA vendor. RH has a relationship with digicert, so we get our certs via > that. When using another vendor we may have to go through some > red-tape. So, I can't

Re: Cert penning, Certs and related

On Wed, 23 Nov 2016 15:45:55 -0500 Colin Walters wrote: > On Wed, Nov 23, 2016, at 12:10 PM, Kevin Fenzi wrote: > > > I suppose thats workable if all the stakeholders agree. > > To confirm, are you agreeing with: > > > So I'd propose pinning to a 3 set of CAs: > > > >

Re: Cert penning, Certs and related

On 10/13/2016 09:34 PM, Kevin Fenzi wrote: >>> * If we are not completely retiring the koji CA, are we replacing >>> it? >> If not retired it has to be replaced, could be certs from freeipa >> that auto renew with certmonger, which i suspect users would like >> better than entering their

Re: Cert penning, Certs and related

On Wed, Nov 23, 2016, at 12:10 PM, Kevin Fenzi wrote: > I suppose thats workable if all the stakeholders agree. To confirm, are you agreeing with: > So I'd propose pinning to a 3 set of CAs: > > - Digicert > - Some other well-regarded CA vendor > - A Fedora-infra custom CA (doesn't have to

Re: Cert penning, Certs and related

On Mon, 21 Nov 2016 10:16:55 -0500 Colin Walters wrote: > On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote: > > > > Anyways, there's a higher level question here - you're arguing > > for pinning to Digicert rather than a custom CA. That seems good > > enough, but I

Re: Cert penning, Certs and related

On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote: > > Anyways, there's a higher level question here - you're arguing > for pinning to Digicert rather than a custom CA. That seems good > enough, but I think we need a recovery mechanism in case Digicert > explodes. > > So I'd propose pinning

Re: Cert penning, Certs and related

On jueves, 13 de octubre de 2016 1:34:42 PM CDT Kevin Fenzi wrote: > I meant to reply to this eariler. ;) I just now saw the reply :( > On Mon, 10 Oct 2016 17:20:06 -0500 > > Dennis Gilmore wrote: > > On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote: > > >

Re: Cert penning, Certs and related

On Wed, Oct 12, 2016, at 03:17 PM, Kevin Fenzi wrote: > Sure, but they won't. They will complain that we have an invalid cert > and we will need to explain to them whats going on. ;) I still think this would be mostly covered if the yum repo files and the ostree remote config had a comment

Re: Cert penning, Certs and related

I meant to reply to this eariler. ;) On Mon, 10 Oct 2016 17:20:06 -0500 Dennis Gilmore wrote: > On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote: > > Greetings. > > > > We have a request ( > > https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl > >

Re: Cert penning, Certs and related

On Mon, Oct 10, 2016, at 01:58 PM, Kevin Fenzi wrote: > > But does that not mean anyone going to the same place with a browser or > command line downloading specific packages will get a "sorry, this cert > is not trusted" ? Thats not such a big deal for ostree's, but for rpms, > people do this

Re: Cert penning, Certs and related

On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote: > Greetings. > > We have a request ( > https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert > pinning for ostree deliverables. It's also been a long wishlist item > to have that for rpm deliverables too.

Re: Cert penning, Certs and related

On Mon, 10 Oct 2016 13:16:23 -0400 Colin Walters wrote: > On Mon, Oct 10, 2016, at 01:04 PM, Kevin Fenzi wrote: > > On Mon, 10 Oct 2016 16:57:25 + > > Patrick Uiterwijk wrote: > > > > ...snip... > > > > > As far as I know, yum/dnf supports

Re: Cert penning, Certs and related

On Mon, Oct 10, 2016, at 01:04 PM, Kevin Fenzi wrote: > On Mon, 10 Oct 2016 16:57:25 + > Patrick Uiterwijk wrote: > > ...snip... > > > As far as I know, yum/dnf supports setting a cafile for repos, so we > > can just update fedora-repos. > > That doesn't help. If

Re: Cert penning, Certs and related

On Mon, 10 Oct 2016 16:57:25 + Patrick Uiterwijk wrote: ...snip... > As far as I know, yum/dnf supports setting a cafile for repos, so we > can just update fedora-repos. That doesn't help. If we are using a well known cert, it's already valid based on the system

Re: Cert penning, Certs and related

Hi, ...snip... > Questions we need to figure out: > > * Are we going to retire/replace the koji CA? My thought was yes, but I > think Dennis wasn't on board with this. Can anyone who wants to save > it speak up? :) I want to kill this CA. If there's anyone that sees problems with this, talk