On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote:
Anyways, there's a higher level question here - you're arguing
for pinning to Digicert rather than a custom CA. That seems good
enough, but I think we need a recovery mechanism in case Digicert
explodes.
So I'd propose pinning to a 3 set of CAs:
- Digicert
- Some other well-regarded CA vendor
- A Fedora-infra custom CA (doesn't have to be deployed, just a backup plan)
Any further thoughts here?
> And as for a specific implementation mechanism, we'd have just
> those CAs in /etc/pki/tls/certs/fedora-infra.crt or so, and that file
> would be in the fedora-repos package. The argument for this again
> is that librepo and ostree already have all of the code for this, and so does curl
etc.
>
> Doing the hashes of the certs like Firefox does is certainly possible,
> but it requires custom logic in the HTTP layer, and there's no
> standard configuration file formats for the data, etc.
>
> > Also in the same file chom*/firefox set a list of sites to assume ssl,
> > which would also be nice to hard code.
>
> Yeah, we could follow up with this adding Fedora sites to the browser
> lists. Chrome's version seems saner to me.