On Mon, 10 Oct 2016 16:57:25 +0000
Patrick Uiterwijk <puiterwijk(a)redhat.com> wrote:
...snip...
As far as I know, yum/dnf supports setting a cafile for repos, so we
can just update fedora-repos.
That doesn't help. If we are using a well known cert, it's already
valid based on the system ca's, and IMHO it would be very poor to use a
self signed cert for this. So, either librepo carries a static list for
our base repos or we add support for HPKP.
> * The complex way to do pinning would be to setup
>
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
> For this we would need to get backup keys for our cert(s) that are
> used for this and setup webservers to send the right headers. This
> would also need (more complex) changes in librepo and/or
> somewhere in ostree. This would also optionally get us reports of
> violations.
I would prefer this, since that means the configuration is
server-side and we can phase over to a different CA or something at a
later point in time way easier.
Still will need HPKP support in the clients... but yeah, it has
advantages.
kevin