Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

Hi,

after talking with Marius:
The last sentence in his mail concerning the progress
suffers from poor translation, and can safely be ignored ;-)

We didn't intend to push anybody.

VlG-(Marius Timmer &) Arne Scheffer

On 25.10.18 15:08, Marius Timmer wrote:
> Dear hackers,
>
> We (Julian and I) would like to show you the seventh version of this
> patch which includes all the things mentioned before. Unfortunately
> we did not find the time to do this earlier.
>
>
> On 07/19/2018 03:00 AM, Thomas Munro wrote:
>> you could just have one common code path to reach CheckCertAuth()
>> for all auth methods after that switch statement, instead of the more
>> complicated conditional coding you have now with two ways to reach it.
> There is only one path now to call CheckCertAuth(). I don't think we
> have left too many complicated conditions.
>
>
>> That would result in a couple less LOC and a bit clearer conditionals,
>> I agree.
>> If there are no objections to make uaCert a quasi-alias of uaTrust
>> with clientcert=verify-full, I'll go ahead and change the code
>> accordingly.
> uaCert and uaTrust are handled the same within the switch statement.
>
>
>> I'll make sure that the error messages are still handled based on
>> the auth method and not only depending on the clientcert flag.
> As far as I know we already handled the error message based on the auth
> method and clientcert flag.
>
>
> On 07/30/2018 12:20, Julian Markwort wrote:
>> I'm open for suggestions, but in absence of objections I might just
>> capitalize all occurrences of CN.
> We decided to stick with the old style for now. So we changed all
> occurrences of cn to lower case.
>
>
>> Yes, we should adopt the new style in all places.
>> I'll rewrite that passage to indicate that cert authentication
>> essentially results in the same behavior as clientcert=verify-full.
>> The existing text is somewhat ambiguous anyway, in case somebody
>> decides to skip over the restriction described in the second sentence.
> We fixed that. Additionally we added the alias "no-verify" for
> clientcert=0 since it seems to be a good idea to have aliases for all
> three available values.
>
>
>>> What do you think about using clientCertCA for the enumerator name
>>> instead of clientCertOn? That would correspond better to the names
>>> "verify-ca" and "verify-full".
>> +1
>> I'm not sure if Magnus had any other cases in mind when he named it
>> clientCertOn?
> We agree that clientCertCA is a better name for it. Since Magnus does
> not seem to have any concerns about it we changed that as well.
>
> Julian and I think the time has come for this patch to make some
> progress. After a few months I think there is not that much to discuss
> anymore.
>
>
> Kind regards,
>
> Marius Timmer
>
>
>
>

--
Arne Scheffer
Webanwendungen
Beratung und Service (mit R. Mersch)

Westfälische Wilhelms-Universität Münster (WWU)

Zentrum für Informationsverarbeitung (ZIV)

Röntgenstraße 7-13
Besucheradresse: Einsteinstraße 60, Raum 104
48149 Münster
+49 251 83 31581
arne(dot)scheffer(at)uni-muenster(dot)de
https://www.uni-muenster.de/ZIV