On Tue March 11 2008, Dennis Gilmore wrote: > On Tuesday 11 March 2008, Till Maas wrote: > > Hiyas, > > > > now that everyone needs to change his password, can we now also deploy > > the new certifcate for koji? This will make it possible to verify whether > > or not one can trust the certificate for koji and the ticket is now 7 > > months old, i.e. about a full Fedora release cycle. Therefore I guess > > there won't be a better time than now. > > > > Regards, > > Till > > > >  https://fedorahosted.org/fedora-infrastructure/ticket/88 > > No, Because it will break user certs. To make it work would require that > users all get entirely new server cert files. We need to redo our entire > CA system. We also need to consider the ramifications for Secondary > arches, deploying a new CA would require each and every Secondary arch to > purchase a cert from the same CA. or somebody to purchase a cert that > covered *.koji.fedoraproject.org from the same CA. > > we are looking at deploying the hub on a separate box from the frontend > which would allow us to do what you are wanting but would not look after > secondary arches. How about making the hub (I assume this is only used by automated processes and not manually) listen on a different port than 443? Then the web interface could use the new well know certificate. The automated processes the internal ones, where imho using a own ca does not hurt. Also using a different port should be only a matter of configuring it once. The secondary arch instances could then use a cacert certificate, which are free and are trusted by some browsers already for the web interface. > We currently use 2 different CA's in our setup. One that is used only for > user certs and one that is used for the builders and frontend. I would > like to move to a new Single CA setup. In this world when you import your > fedora user cert for browser authentication you would automatically > recognise the CA. though this would only be valid for Fedora contributors. Is this only about Koji or Fedoraprojet in general? Imho it is better to use a well known CA for the frontend (website) and an own one for internal stuff instead of using an own one for everything. Regards, Till  https://cacert.org
Description: This is a digitally signed message part.