Fedora User Certificates

John Gilmore gnu at toad.com
Fri Aug 22 13:46:04 EDT 2008

> Effective immediately we have replaced the CA that is in use for
> cvs.fedoraproject.org and koji.fedoraproject.org  This effects uploading to
> lookaside cache and building packages.

How do we know whether the old CA or the new CA is the secure one?  This
email "from Dennis" could easily be a spoof or a phish:

> There are some manual steps that everyone needs to do to be able to use the
> systems again.

"We've had a problem and we have to re-validate your account."

> they are
> login to https://admin.fedoraproject.org/accounts/  and click on the "Download
> a client-side certificate" link at the bottom of the home page.  save the
> output to ~/.fedora.cert

First give us your username and password.  We promise not to abuse it

Then overwrite the securely signed key that has validated the
real web site for years -- with whatever we send you from our spoof site.

Then you'll REALLY be secure.

I'm serious.  Whether or not there's been a security compromise on
the Fedora servers, it would be easy for the people who did it to pull
a DNS spoof, get a bunch more passwords, and get many community members
to believe that the spoof site is the real thing.

I only recommend replacing your Fedora certificate if you have been
asked to do so personally, e.g. by phone from a voice that you
recognize as a friend or colleague in Fedora.


More information about the Devel mailing list