On Monday, October 10, 2016 10:27:29 AM CDT Kevin Fenzi wrote:
Greetings.
We have a request (
https://pagure.io/fedora-infrastructure/issue/5372 ) to setup ssl cert
pinning for ostree deliverables. It's also been a long wishlist item
to have that for rpm deliverables too. Unfortunately there's a bunch of
moving parts here that we need to sort out before we can move this
forward.
First some background/info:
*
kojipkgs.fedoraproject.org currently uses a valid digisign cert. It
needs this because browsers download from it directly, our builders
download from it directly, etc.
* pkgs/koji currently use certs signed by the Fedora Koji CA (which
expires in 2024). This is currently needed by koji to do builds and
the upload cgi for lookaside.
The koji CA expires in 2018
* We are hoping to deploy soon a pair of freeipa servers in
production
that get information from fas and allow us to issue kerberos tickets.
koji can already authenticate via this method.
* There's an outstanding ticket about having a verified way to get
source:
https://pagure.io/fedora-infrastructure/issue/2324
Questions we need to figure out:
* Are we going to retire/replace the koji CA? My thought was yes, but I
think Dennis wasn't on board with this. Can anyone who wants to save
it speak up? :)
I am against kerberos being the only auth mechanism. I suspect
that some
people either cant for reasons beyond our control or won't set up kerberos for
auth
* The upload cgi would need to auth with kerberos and sigul would
need
to auth with kerberos for this to work.
* If we are not completely retiring the koji CA, are we replacing it?
If not
retired it has to be replaced, could be certs from freeipa that auto
renew with certmonger, which i suspect users would like better than entering
their kerberos password once a day.
* Is ostree going to stay distributed at kojipkgs ? Or is it going
to
move somewhere else? we should figure out the final place for it
before we go setting up cert pinning.
No, it needs to go on the mirrors when we
sort out how to mirror it, and the
client and mirrormanager support it
* The simple way to do pinning is for the application(s) to include
a
hard coded list of valid certs. I guess this would require changes in
librepo and somewhere in ostree?
* The complex way to do pinning would be to setup
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
For this we would need to get backup keys for our cert(s) that are
used for this and setup webservers to send the right headers. This
would also need (more complex) changes in librepo and/or somewhere in
ostree. This would also optionally get us reports of violations.
Thoughts? Comments?
Not against making changes, but I do not think that they totally fit into long
term goals
Dennis
kevin