Re: what can go in root.crt ?

From: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To: Chapman Flack <chap(at)anastigmatix(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: what can go in root.crt ?
Date: 2020-05-26 03:22:13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> Certificates I get at $work come four layers deep:
> Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> End-entity cert for my server.
> And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> to be what I'm calling trusted in root.crt?

I don't know if there is a way to get this to work, but the
fundamental problem seems that you have got the system wrong.

If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
it as a certification authority.

Laurenz Albe

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Khandekar 2020-05-26 03:36:12 Re: Inlining of couple of functions in pl_exec.c improves performance
Previous Message Chapman Flack 2020-05-26 03:17:46 Re: what can go in root.crt ?