Re: Trust intermediate CA for client certificates

* Ian Pilcher (arequipeno(at)gmail(dot)com) wrote:
> On 12/02/2013 02:29 PM, Andrew Dunstan wrote:
> > Wouldn't that amount to only partially trusting the root? It seems kinda
> > odd. In any case, It's not something I think Postgres needs to solve.
>
> I think that the fundamental problem is that authentication and
> authorization are being conflated. From the OpenSSL point-of-view, it
> is checking that the client certificate is valid (not expired, signed by
> a trusted chain of CAs, etc.); i.e. it's only doing authentication.

Of course.

> PostgreSQL is trusting any client certificate that is validated by
> OpenSSL. It's essentially trusting OpenSSL to do both authentication
> and authorization, but OpenSSL isn't doing the latter.

That isn't at *all* accurate. Authorization is handled by pg_ident and
PG's role and grant system. We are only using OpenSSL's trust of the
certificate for authentication.

> Does PostgreSQL need to solve this? I don't know, but it certainly
> would be a nice capability to have -- if only to avoid the confusion
> that currently surrounds the issue.

I have no idea what you're getting at here.

Thanks,

Stephen