|From:||Bruce Momjian <bruce(at)momjian(dot)us>|
|To:||Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>|
|Cc:||Chapman Flack <chap(at)anastigmatix(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>|
|Subject:||Re: what can go in root.crt ?|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
On Tue, May 26, 2020 at 05:22:13AM +0200, Laurenz Albe wrote:
> On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> > Certificates I get at $work come four layers deep:
> > Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> > Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> > Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> > End-entity cert for my server.
> > And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> > to be what I'm calling trusted in root.crt?
> I don't know if there is a way to get this to work, but the
> fundamental problem seems that you have got the system wrong.
> If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
> it as a certification authority.
It is true that WE ISSUE TO EVERYBODY can create a new intermediate with
the same intemediate name anytime they want.
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
|Next Message||Chapman Flack||2020-05-26 03:43:01||Re: what can go in root.crt ?|
|Previous Message||Amit Khandekar||2020-05-26 03:36:12||Re: Inlining of couple of functions in pl_exec.c improves performance|