-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/09/2011 01:13 PM, Tim wrote: > On Tue, 2011-02-08 at 13:27 -0700, Stephen Smoogen wrote: >> Various SSL keys are aging out so we will be updating them before anyone >> gets a <This CERT is not valid.> page. >> >> The first server to be updated will be fedorahosted.org. >> >> The old certificate came from Equifax, was a 1024 bit key and had the >> fingerprint: >> >> SHA1 Fingerprint=CC:64:67:BE:90:50:79:ED:23:E8:C1:18:02:AB:AC:83:88:FC:6C:D8 >> >> The new certificate is issued by GeoTrust, Inc and is a 4096 bit key >> with the fingerprint: >> >> SHA1 Fingerprint=D1:54:82:77:77:F9:11:DF:E0:B1:14:37:B9:36:E2:09:20:B6:54:1D >> >> Please report any problems with these certificates to >> admin@xxxxxxxxxxxxxxxxx >> >> Stephen Smoogen >> * interim Infrastructure Chief Coffee Officer > > Hmm, this email should have included a link to verify what it says > through a SSL secured page, on the current certificates. > > Anybody could post a "the new keys are this" message through email as a > hoodwinking exercise, since an email (like that) is hard to properly > verify, in itself (thanks to the nature of how PGP keys are managed in > mail - the honour system). > > i.e. gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > > At least website certificates ought to have more vetting behind them. > > That was a security-based announcement that's somewhat lacking in > security mindedness. > Not really. It would be one thing if it was a private certificate, but these are signed off by well-known and trusted certificate authorities. So this is really just a heads-up that a change is coming (and a notice that the key size has been increased to 4k). Including the fingerprint isn't necessary for security (unless you've removed GeoTrust manually from your list of trusted authorities). - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1URVAACgkQeiVVYja6o6MM+wCfX/eiLSu8k0KLTdHhgxI1HhnC +9EAniDwtaBVbl05rz5sR1d4FIs4tpR2 =QDgf -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
