Re: TODO: GNU TLS

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Martijn van Oosterhout <kleptog(at)svana(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, pgsql-hackers(at)postgresql(dot)org, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, mark(at)mark(dot)mielke(dot)cc, Mark Kirkwood <markir(at)paradise(dot)net(dot)nz>
Subject: Re: TODO: GNU TLS
Date: 2006-12-30 15:36:43
Message-ID: 4596878B.8040607@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Stephen Frost wrote:
> * Martijn van Oosterhout (kleptog(at)svana(dot)org) wrote:
>> On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote:
>>> Actually, it's *not* feature-complete even yet.
>> What's missing? I don't see anything on the TODO list relating to
>> this. If you wanted a GnuTLS patch that supported more features than
>> the OpenSSL one, you should have said so. Personally I would have
>> added:
>>
>> - authentication using PGP keys
>
> This would be the big feature I think is missing from our current SSL
> support. I don't think it'd be terribly difficult to support with
> either library (I think most of the work would be on the PG user auth
> side, which would be useable by either).

Wouldn't it be a lot more logical to support authentication with X.509
certificates rather than PGP keys? Given that SSL already has that at a
protocol level AFAIK? And if you are doing any kind of enterprise
deployment at lesat, you're likely to have the PKI infrastructure to
deal out X.509 already?

That said, you could do PGP authentication anyway - independent of SSL -
if people wanted it.

//Magnus

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Magnus Hagander 2006-12-30 15:38:15 Re: TODO: GNU TLS
Previous Message David Fetter 2006-12-30 15:15:50 Re: TODO: GNU TLS