| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
| Cc: | Chapman Flack <chap(at)anastigmatix(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: what can go in root.crt ? |
| Date: | 2020-05-26 03:36:32 |
| Message-ID: | 20200526033632.GI14122@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, May 26, 2020 at 05:22:13AM +0200, Laurenz Albe wrote:
> On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> > Certificates I get at $work come four layers deep:
> >
> >
> > Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> >
> > Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> >
> > Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> >
> > End-entity cert for my server.
> >
> >
> > And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> > to be what I'm calling trusted in root.crt?
>
> I don't know if there is a way to get this to work, but the
> fundamental problem seems that you have got the system wrong.
>
> If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
> it as a certification authority.
It is true that WE ISSUE TO EVERYBODY can create a new intermediate with
the same intemediate name anytime they want.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chapman Flack | 2020-05-26 03:43:01 | Re: what can go in root.crt ? |
| Previous Message | Amit Khandekar | 2020-05-26 03:36:12 | Re: Inlining of couple of functions in pl_exec.c improves performance |