Fedora User Certificates

Dennis Gilmore dennis at ausil.us
Fri Aug 22 14:17:51 EDT 2008


On Friday 22 August 2008 12:46:04 pm John Gilmore wrote:
> > Effective immediately we have replaced the CA that is in use for
> > cvs.fedoraproject.org and koji.fedoraproject.org  This effects uploading
> > to lookaside cache and building packages.
>
> How do we know whether the old CA or the new CA is the secure one?  This
>
> email "from Dennis" could easily be a spoof or a phish:
> > There are some manual steps that everyone needs to do to be able to use
> > the systems again.
>
> "We've had a problem and we have to re-validate your account."
>
> > they are
> > login to https://admin.fedoraproject.org/accounts/  and click on the
> > "Download a client-side certificate" link at the bottom of the home page.
> >  save the output to ~/.fedora.cert
>
> First give us your username and password.  We promise not to abuse it
> unduly.
I specifically did not post a link to the cert download site  because I don't 
want to 
> Then overwrite the securely signed key that has validated the
> real web site for years -- with whatever we send you from our spoof site.
>
> Then you'll REALLY be secure.
The OLD CA was destroyed it no longer exists.  because we were not issuing 
certificates correctly and were unable to revoke them.

> I'm serious.  Whether or not there's been a security compromise on
> the Fedora servers, it would be easy for the people who did it to pull
> a DNS spoof, get a bunch more passwords, and get many community members
> to believe that the spoof site is the real thing.
>
> I only recommend replacing your Fedora certificate if you have been
> asked to do so personally, e.g. by phone from a voice that you
> recognize as a friend or colleague in Fedora.

I don't personally know  each and every fedora contributor.  but if anyone 
wants me to call them to verify that they need new certs I am more than 
willing to call each and every person.  However  if you don't replace the 
certs you will not have access to cvs or the buildsystem.  they are using only 
the new certs and checking the crl. 

you can verify the new cert and host key hashes at  
https://admin.fedoraproject.org/fingerprints  of course you have to trust that 
that is valid and that the whole fedora infrastructure has not been spoofed.


Dennis



More information about the Devel mailing list