| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Saleem Edah-Tally" <nmset(at)netcourrier(dot)com> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: postgresql.key secure storage |
| Date: | 2009-09-14 14:13:45 |
| Message-ID: | 15858.1252937625@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"Saleem Edah-Tally" <nmset(at)netcourrier(dot)com> writes:
> I would have been more at ease if libpq could manage a PKCS12 cert. or some
> secure wallet/keystore that contains both the public and private keys for SSL
> traffic. Neither the end user nor any admin would have to provide the password
> to access the keys inside the secured storage as I would have prefered to
> hard-code the password. Hard coding is not an elegant solution I agree, but
> leaving on the table an unencrypted private key is not something to do IMO.
You realize, of course, that there is absolutely no way you can stop the
user from extracting whatever data you put on his machine. "Secure
wallet" is an exercise in self-delusion. If you want actual security,
there had better be a machine that *you* control in the way.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-09-14 14:29:54 | Re: Checkpoint request failed, permission denied |
| Previous Message | A. Kretschmer | 2009-09-14 14:13:37 | Re: Cartesian product not correct |