Skip site navigation (1) Skip section navigation (2)

Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Date: 2008-11-29 13:49:35
Message-ID: 4931486F.7050207@hagander.net (view raw or flat)
Thread:
Lists: pgsql-committerspgsql-hackers
Peter Eisentraut wrote:
> On Friday 28 November 2008 17:13:54 Magnus Hagander wrote:
>> Matching *only* as the first character will make it impossible to make
>> certificates for "www*.domain.com", which is AFAIK fairly popular - and
>> one of the examples you'll find on CA sites. But it would be fairly easy
>> to add this restriction if people feel that's a better way.
> 
> Are there actual technical or administrative or security arguments for or 
> against this?  For example, what are the criteria one has to fulfill in order 
> to get such a certificate?  Or is there a "defensive certification" security 
> line of reasoning?
> 
> Now certificate issuing is a real business, so we need to play in that context 
> as well, but I would like to dig a little deeper why things should be done in 
> a certain way.
> 
> I am quite confortable, for example, with * matching subdomains, because if I 
> own example.com, then I can create any level of subdomain I want, without 
> making a real difference to user/client program.  But then I don't really get 
> the point of having * inside of words -- would "www*.domain.com" also match 
> dots then?

Hmm. I can't seem to find that reference anymore. The only one of my
"www*" references I can find ATM is GoDaddy which just has it as an
exapmle of what "*.domain.com" would match :S

Perhaps the best method would actually be to match only "*." at the
beginning of the CN for now, and see if people complain? I would much
like someone who knows more about what would be reasonable to speak up
here, but it seems we don't have anybody here who knows...

//Magnus


In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2008-11-29 15:42:05
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches (r1197)
Previous:From: Magnus HaganderDate: 2008-11-29 13:43:23
Subject: Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new

pgsql-committers by date

Next:From: Robert HaasDate: 2008-11-29 15:56:42
Subject: Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new
Previous:From: Magnus HaganderDate: 2008-11-29 13:43:23
Subject: Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group