Skip site navigation (1) Skip section navigation (2)

Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: pgsql-hackers(at)postgresql(dot)org
Cc: Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Date: 2008-11-28 22:08:42
Message-ID: 200811290008.42720.peter_e@gmx.net (view raw or flat)
Thread:
Lists: pgsql-committerspgsql-hackers
On Friday 28 November 2008 17:13:54 Magnus Hagander wrote:
> Matching *only* as the first character will make it impossible to make
> certificates for "www*.domain.com", which is AFAIK fairly popular - and
> one of the examples you'll find on CA sites. But it would be fairly easy
> to add this restriction if people feel that's a better way.

Are there actual technical or administrative or security arguments for or 
against this?  For example, what are the criteria one has to fulfill in order 
to get such a certificate?  Or is there a "defensive certification" security 
line of reasoning?

Now certificate issuing is a real business, so we need to play in that context 
as well, but I would like to dig a little deeper why things should be done in 
a certain way.

I am quite confortable, for example, with * matching subdomains, because if I 
own example.com, then I can create any level of subdomain I want, without 
making a real difference to user/client program.  But then I don't really get 
the point of having * inside of words -- would "www*.domain.com" also match 
dots then?

In response to

Responses

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2008-11-28 22:13:14
Subject: Re: HEAD build failure on win32 mingw
Previous:From: Tom LaneDate: 2008-11-28 22:07:32
Subject: Re: Fixing contrib/isn for float8-pass-by-value

pgsql-committers by date

Next:From: Tom LaneDate: 2008-11-28 23:47:52
Subject: pgsql: Partial fix for fallout from temp-port changes.
Previous:From: Andrew DunstanDate: 2008-11-28 21:24:31
Subject: Re: pgsql: Reduce risk of accidentally running temp-install regression tests

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group