From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Ants Aasma <ants(at)cybertec(dot)at> |
Cc: | Chapman Flack <chap(at)anastigmatix(dot)net>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: what can go in root.crt ? |
Date: | 2020-06-03 20:34:20 |
Message-ID: | 20200603203420.GD28685@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Jun 3, 2020 at 03:07:30PM +0300, Ants Aasma wrote:
> On Tue, 2 Jun 2020 at 20:14, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> The server certificate should be issued by a certificate authority root
> outside of your organization only if you want people outside of your
> organization to trust your server certificate, but you are then asking
> for the client to only trust an intermediate inside your organization.
> The big question is why bother having the server certificate chain to a
> root certificat you don't trust when you have no intention of having
> clients outside of your organization trust the server certificate.
> Postgres could be made to handle such cases, but is is really a valid
> configuration we should support?
>
>
> I think the "why" the org cert is not root was already made clear, that is the
> copmany policy. I don't think postgres should take a stance whether the
> certificate designated as the root of trust is self-signed or claims to get its
> power from somewhere else.
Uh, we sure can. We disallow many configurations that we consider
unsafe. openssl allowed a lot of things, and their flexibility make
them less secure.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2020-06-03 20:45:42 | Re: Atomic operations within spinlocks |
Previous Message | Andres Freund | 2020-06-03 20:26:43 | Re: significant slowdown of HashAggregate between 9.6 and 10 |