Re: what can go in root.crt ?

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
Cc: Chapman Flack <chap(at)anastigmatix(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: what can go in root.crt ?
Date: 2020-05-26 03:36:32
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Tue, May 26, 2020 at 05:22:13AM +0200, Laurenz Albe wrote:
> On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> > Certificates I get at $work come four layers deep:
> >
> >
> > Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> >
> > Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> >
> > Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> >
> > End-entity cert for my server.
> >
> >
> > And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> > to be what I'm calling trusted in root.crt?
> I don't know if there is a way to get this to work, but the
> fundamental problem seems that you have got the system wrong.
> If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
> it as a certification authority.

It is true that WE ISSUE TO EVERYBODY can create a new intermediate with
the same intemediate name anytime they want.

Bruce Momjian <bruce(at)momjian(dot)us>

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Chapman Flack 2020-05-26 03:43:01 Re: what can go in root.crt ?
Previous Message Amit Khandekar 2020-05-26 03:36:12 Re: Inlining of couple of functions in pl_exec.c improves performance