On Tue March 11 2008, Dennis Gilmore wrote: > On Tuesday 11 March 2008, Till Maas wrote: > >  https://fedorahosted.org/fedora-infrastructure/ticket/88 > > No, Because it will break user certs. To make it work would require that > users all get entirely new server cert files. We need to redo our entire Making the user adjust his koji config for this is afaics unavoidable, except when nothing is changed. To make future transitions easier, the ca could be bundled into the fedora-packager package, so that the ca is updated automatically when needed. > CA system. We also need to consider the ramifications for Secondary > arches, deploying a new CA would require each and every Secondary arch to > purchase a cert from the same CA. or somebody to purchase a cert that > covered *.koji.fedoraproject.org from the same CA. I do not see a reason for this, what does need this? According to the pyOpenSSL manual the koji client can load several ca files to authenticate the server certificate, because the pem file that is loaded with load_client_ca can contain several certificates, e.g. the current one and the Equifax one. Regards, Till  http://pyopenssl.sourceforge.net/pyOpenSSL.ps
Description: This is a digitally signed message part.