Fedora User Certificates
Dennis Gilmore
dennis at ausil.us
Fri Aug 22 14:17:51 EDT 2008
On Friday 22 August 2008 12:46:04 pm John Gilmore wrote:
> > Effective immediately we have replaced the CA that is in use for
> > cvs.fedoraproject.org and koji.fedoraproject.org This effects uploading
> > to lookaside cache and building packages.
>
> How do we know whether the old CA or the new CA is the secure one? This
>
> email "from Dennis" could easily be a spoof or a phish:
> > There are some manual steps that everyone needs to do to be able to use
> > the systems again.
>
> "We've had a problem and we have to re-validate your account."
>
> > they are
> > login to https://admin.fedoraproject.org/accounts/ and click on the
> > "Download a client-side certificate" link at the bottom of the home page.
> > save the output to ~/.fedora.cert
>
> First give us your username and password. We promise not to abuse it
> unduly.
I specifically did not post a link to the cert download site because I don't
want to
> Then overwrite the securely signed key that has validated the
> real web site for years -- with whatever we send you from our spoof site.
>
> Then you'll REALLY be secure.
The OLD CA was destroyed it no longer exists. because we were not issuing
certificates correctly and were unable to revoke them.
> I'm serious. Whether or not there's been a security compromise on
> the Fedora servers, it would be easy for the people who did it to pull
> a DNS spoof, get a bunch more passwords, and get many community members
> to believe that the spoof site is the real thing.
>
> I only recommend replacing your Fedora certificate if you have been
> asked to do so personally, e.g. by phone from a voice that you
> recognize as a friend or colleague in Fedora.
I don't personally know each and every fedora contributor. but if anyone
wants me to call them to verify that they need new certs I am more than
willing to call each and every person. However if you don't replace the
certs you will not have access to cvs or the buildsystem. they are using only
the new certs and checking the crl.
you can verify the new cert and host key hashes at
https://admin.fedoraproject.org/fingerprints of course you have to trust that
that is valid and that the whole fedora infrastructure has not been spoofed.
Dennis
More information about the Devel
mailing list