On Fri, 09 Dec 2016 16:51:25 -0500
Colin Walters wrote:
> On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
>
> > The various browsers already have our digicert cert hard coded.
> > So, if we ever had problems with that cert and had to switch to the
> > secondary or
On Wed, 14 Dec 2016 09:16:47 -0500
Colin Walters wrote:
> On Tue, Dec 13, 2016, at 10:53 PM, Kevin Fenzi wrote:
> > FYI, I marked this thread to reply to, but I simply have not had
> > time lately with last week on site at the datacenter and this
> > weekend prepping for the
On Tue, 06 Dec 2016 17:14:48 -0500
Colin Walters wrote:
> On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
> >
> > The various browsers already have our digicert cert hard coded.
>
> Hum, really? Reference?
>
> $ pwd
> /home/walters/src/github/mozilla/gecko-dev
> $
FYI, I marked this thread to reply to, but I simply have not had time
lately with last week on site at the datacenter and this weekend
prepping for the flag day and this week helping people with fallout
from the flag day.
I'll try and get back to this this week, but please have some patience.
On Tue, Dec 13, 2016, at 01:49 PM, Stephen John Smoogen wrote:
> So the parts I think I am seeing different answers are:
> 1. What are we trying to accomplish and where?
> 2. What infrastructure is needed to accomplish this?
I think this stuff is pretty well covered in the thread and should
be
On 13 December 2016 at 12:37, Colin Walters wrote:
>
>
> On Fri, Dec 9, 2016, at 05:38 PM, Stephen John Smoogen wrote:
>
>> I don't think anyone is understanding each other.. because that isn't
>> what I was getting from this thread until now.
>
> The thread has been 95% just
On Fri, Dec 9, 2016, at 05:38 PM, Stephen John Smoogen wrote:
> I don't think anyone is understanding each other.. because that isn't
> what I was getting from this thread until now.
The thread has been 95% just me and Kevin on and off over the last 6
months. I asked him for clarification.
On 9 December 2016 at 16:51, Colin Walters wrote:
> On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
>
>> The various browsers already have our digicert cert hard coded.
>> So, if we ever had problems with that cert and had to switch to the
>> secondary or tertiary certs,
On Tue, Nov 29, 2016, at 02:00 PM, Kevin Fenzi wrote:
> The various browsers already have our digicert cert hard coded.
> So, if we ever had problems with that cert and had to switch to the
> secondary or tertiary certs, all browser access would be broken. ;(
>
> So, perhaps we should be more
On Mon, 28 Nov 2016 15:32:02 -0500
Colin Walters wrote:
> On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote:
> >
> > Yeah. I am not sure the process we will need to use to get some
> > other CA vendor. RH has a relationship with digicert, so we get our
> > certs via that.
On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote:
>
> Yeah. I am not sure the process we will need to use to get some other
> CA vendor. RH has a relationship with digicert, so we get our certs via
> that. When using another vendor we may have to go through some
> red-tape. So, I can't
On Wed, 23 Nov 2016 15:45:55 -0500
Colin Walters wrote:
> On Wed, Nov 23, 2016, at 12:10 PM, Kevin Fenzi wrote:
>
> > I suppose thats workable if all the stakeholders agree.
>
> To confirm, are you agreeing with:
>
> > So I'd propose pinning to a 3 set of CAs:
> >
> >
On 10/13/2016 09:34 PM, Kevin Fenzi wrote:
>>> * If we are not completely retiring the koji CA, are we replacing
>>> it?
>> If not retired it has to be replaced, could be certs from freeipa
>> that auto renew with certmonger, which i suspect users would like
>> better than entering their
On Wed, Nov 23, 2016, at 12:10 PM, Kevin Fenzi wrote:
> I suppose thats workable if all the stakeholders agree.
To confirm, are you agreeing with:
> So I'd propose pinning to a 3 set of CAs:
>
> - Digicert
> - Some other well-regarded CA vendor
> - A Fedora-infra custom CA (doesn't have to
On Mon, 21 Nov 2016 10:16:55 -0500
Colin Walters wrote:
> On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote:
> >
> > Anyways, there's a higher level question here - you're arguing
> > for pinning to Digicert rather than a custom CA. That seems good
> > enough, but I
On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote:
>
> Anyways, there's a higher level question here - you're arguing
> for pinning to Digicert rather than a custom CA. That seems good
> enough, but I think we need a recovery mechanism in case Digicert
> explodes.
>
> So I'd propose pinning
On jueves, 13 de octubre de 2016 1:34:42 PM CDT Kevin Fenzi wrote:
> I meant to reply to this eariler. ;)
I just now saw the reply :(
> On Mon, 10 Oct 2016 17:20:06 -0500
>
> Dennis Gilmore wrote:
> > On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote:
> > >
On Wed, Oct 12, 2016, at 03:17 PM, Kevin Fenzi wrote:
> Sure, but they won't. They will complain that we have an invalid cert
> and we will need to explain to them whats going on. ;)
I still think this would be mostly covered if the yum repo files
and the ostree remote config had a comment
I meant to reply to this eariler. ;)
On Mon, 10 Oct 2016 17:20:06 -0500
Dennis Gilmore wrote:
> On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote:
> > Greetings.
> >
> > We have a request (
> > https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl
> >
On Mon, Oct 10, 2016, at 01:58 PM, Kevin Fenzi wrote:
>
> But does that not mean anyone going to the same place with a browser or
> command line downloading specific packages will get a "sorry, this cert
> is not trusted" ? Thats not such a big deal for ostree's, but for rpms,
> people do this
On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote:
> Greetings.
>
> We have a request (
> https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert
> pinning for ostree deliverables. It's also been a long wishlist item
> to have that for rpm deliverables too.
On Mon, 10 Oct 2016 13:16:23 -0400
Colin Walters wrote:
> On Mon, Oct 10, 2016, at 01:04 PM, Kevin Fenzi wrote:
> > On Mon, 10 Oct 2016 16:57:25 +
> > Patrick Uiterwijk wrote:
> >
> > ...snip...
> >
> > > As far as I know, yum/dnf supports
On Mon, Oct 10, 2016, at 01:04 PM, Kevin Fenzi wrote:
> On Mon, 10 Oct 2016 16:57:25 +
> Patrick Uiterwijk wrote:
>
> ...snip...
>
> > As far as I know, yum/dnf supports setting a cafile for repos, so we
> > can just update fedora-repos.
>
> That doesn't help. If
On Mon, 10 Oct 2016 16:57:25 +
Patrick Uiterwijk wrote:
...snip...
> As far as I know, yum/dnf supports setting a cafile for repos, so we
> can just update fedora-repos.
That doesn't help. If we are using a well known cert, it's already
valid based on the system
Hi,
...snip...
> Questions we need to figure out:
>
> * Are we going to retire/replace the koji CA? My thought was yes, but I
> think Dennis wasn't on board with this. Can anyone who wants to save
> it speak up? :)
I want to kill this CA. If there's anyone that sees problems with this, talk
25 matches
Mail list logo