Re: what can go in root.crt ?

On Tue, May 26, 2020 at 10:13:56AM -0400, Chapman Flack wrote:
> At $work, when I make a certificate request and send it off to our
> own in-house bureau of making certificates happen, what you might
> expect is that they would be running the first level of CA right
> in house (and IIRC that was the case in my early years here).
> So I would get back some chain like this:
>
> WE ARE A PROMINENT GLOBAL ISSUER FOUND IN WEB BROWSER TRUST STORES
> WE ISSUE TO LOTS OF FOLKS
> WE ISSUE TO ORGS LIKE YOURS
> WE ARE YOUR ORG
> my server cert
>
> In that picture, the question of whether I give more or less trust to
> PROMINENT GLOBAL ISSUER because they have larger market cap and their
> name in the news, or to WE ARE YOUR ORG because they are my org, seems
> to turn on different understandings of trust. There might be a lot of
> reasons in general to trust PROMINENT GLOBAL in the sense of putting
> their cert in widely distributed web browser trust stores. But there
> are excellent reasons to trust WE ARE YOUR ORG as authoritative on
> what's a server for my org.

I think it gets down to an issue I blogged about in 2017:

https://momjian.us/main/blogs/pgblog/2017.html#January_9_2017

The use of public certificate authorities doesn't make sense for most
databases because it allows third parties to create trusted
certificates. Their only reasonable use is if you wish to allow public
certificate authorities to independently issue certificates that you
wish to trust. This is necessary for browsers because they often connect
to unaffiliated websites where trust must be established by a third
party. (Browsers include a list of public certificate authorities who
can issue website certificates it trusts.)

The server certificate should be issued by a certificate authority root
outside of your organization only if you want people outside of your
organization to trust your server certificate, but you are then asking
for the client to only trust an intermediate inside your organization.
The big question is why bother having the server certificate chain to a
root certificat you don't trust when you have no intention of having
clients outside of your organization trust the server certificate.
Postgres could be made to handle such cases, but is is really a valid
configuration we should support?

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

The usefulness of a cup is in its emptiness, Bruce Lee