Re: what can go in root.crt ?

What about the SSH model? In the Postgres context, this would basically be
a table containing authorized certificates for each user. Upon receiving a
connection attempt, look up the user and the presented certificate and see
if it is one of the authorized ones. If so, do the usual verification that
the client really does have the corresponding private key and if so,
authenticate the connection.

This is way simpler than messing around with certificate authorities.
Please, if anybody can give a coherent explanation why this isn't the first
certificate authentication model supported, I would love to understand.

On Mon, 25 May 2020 at 23:43, Chapman Flack <chap(at)anastigmatix(dot)net> wrote:

> On 05/25/20 23:22, Laurenz Albe wrote:
> > I don't know if there is a way to get this to work, but the
> > fundamental problem seems that you have got the system wrong.
> >
> > If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
> > it as a certification authority.
>
> That's a reasonable viewpoint.
>
> I've worked in organizations from smallish to largish, and in the
> largish ones, sometimes there are Ways Of Doing Things, that were
> laid down by Other People.
>
> There the challenge becomes how to piece together practices that
> maximize my comfort level, within the ways of doing things that
> come down from others.
>
> If the libpq root.crt file can be made to work similarly to a
> Java trustStore, that expands the possible solution space.
>
> Regards,
> -Chap
>
>
>