| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Ian Pilcher <arequipeno(at)gmail(dot)com> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, stellr(at)vt(dot)edu, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Trust intermediate CA for client certificates |
| Date: | 2013-12-02 20:32:54 |
| Message-ID: | 21280.1386016374@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
Ian Pilcher <arequipeno(at)gmail(dot)com> writes:
> On 12/02/2013 02:17 PM, Tom Lane wrote:
>> Isn't that sort of the point?
> I'm not sure what you're asking. The desired behavior (IMO) would be to
> accept client certificates signed by some intermediate CAs without
> accepting any client certificate that can present a chain back to the
> trusted root. This is currently not possible, mainly due to the way
> that OpenSSL works.
That notion seems pretty bogus to me. If you don't trust the root CA to
not hand out child CA certs to untrustworthy people, then you don't really
trust the root CA, do you? You should just list the certs of the
intermediate CAs you *do* trust in the server's root.crt.
In any case, the idea that this is somehow OpenSSL's fault and another
implementation of the same protocol wouldn't have the same issue sounds
pretty silly.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2013-12-02 20:38:08 | Re: Trust intermediate CA for client certificates |
| Previous Message | Andrew Dunstan | 2013-12-02 20:29:50 | Re: Trust intermediate CA for client certificates |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2013-12-02 20:35:04 | Re: Extension Templates S03E11 |
| Previous Message | Andrew Dunstan | 2013-12-02 20:29:50 | Re: Trust intermediate CA for client certificates |