| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Chapman Flack <chap(at)anastigmatix(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: what can go in root.crt ? |
| Date: | 2020-05-26 03:22:13 |
| Message-ID: | 74fc462353764d11d807976825eb091ef8f6e0f1.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> Certificates I get at $work come four layers deep:
>
>
> Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
>
> Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
>
> Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
>
> End-entity cert for my server.
>
>
> And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> to be what I'm calling trusted in root.crt?
I don't know if there is a way to get this to work, but the
fundamental problem seems that you have got the system wrong.
If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
it as a certification authority.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Khandekar | 2020-05-26 03:36:12 | Re: Inlining of couple of functions in pl_exec.c improves performance |
| Previous Message | Chapman Flack | 2020-05-26 03:17:46 | Re: what can go in root.crt ? |