From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Ian Pilcher <arequipeno(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org, tgl(at)sss(dot)pgh(dot)pa(dot)us, stellr(at)vt(dot)edu, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [HACKERS] Trust intermediate CA for client certificates |
Date: | 2013-03-19 05:28:10 |
Message-ID: | 5147F76A.3070401@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/18/2013 08:55 PM, Stephen Frost wrote:
> Makes sense to me. I'm not particular about the names, but isn't this
> set of CAs generally considered intermediary? Eg: 'trusted', '
> intermediate', etc?
They are intermediary, but we're dealing with the case where trust and
authorization are not the same thing. Trust stems from the trusted root
in the SSL CA model, but that's a chain of trust for *identity*
(authentication), not *authorization*.
Bob J. Criminal might well have a client certificate from a trusted
authority proving that he's who he says he is (he's authenticated) but
we sure as hell don't want to authorize his access to anything.
That's where the intermediate certs come in. We might say "Only users
with certificates issued by our corporate HR team are authorized to
connect to our servers". This is a root of trust, but this time it's a
root of trust to *authorize*, not just to authenticate.
The usual SSL terminology doesn't consider this, because it's a simple
back and white trust model where authenticated = authorized.
I guess that suggests we should be calling this something like
'ssl_authorized_client_roots'.
- --
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJRR/dqAAoJELBXNkqjr+S2TV4H/3f9Hnf9JhSuGhWblh2adgTJ
Rkdx/9RbByJDMJP0s0c8C1sXaWZGJmKmLhJoes4IIvOVW85SVUa9WoT+UBJPdx9P
esUNsSLFokLqom3TxNRZOHaloyZ+OZafSUnKCwMOIvD0hIehrS3Wcg70QMSj06tX
h22BVhA8bzO1Wdg9UdD98jcuWdEbLgWzVtvIXjICcMJ1azgiF1VY4zwUUbBJBfLG
UIA7+2TtVaXQuge6qWgId0RTKKrb6cLHXCSQ/rigy0mRH9m/G5jKmqENvLAnafI4
4lSBPyDzNj2fBfP9YgIiAe/EGjnJMWQfBBghQI3QrK2kjOZXtzZoOb4XEjfn3FI=
=u+2j
-----END PGP SIGNATURE-----
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2013-03-19 05:46:32 | Re: [HACKERS] Trust intermediate CA for client certificates |
Previous Message | Rob Sargentg | 2013-03-19 04:04:00 | Re: regexp_replace failing on 9.0.4 |
From | Date | Subject | |
---|---|---|---|
Next Message | =?koi8-r?B?IunO18XT1MnS1cog1yDQ0s/H0sHNzc7PxSDPwsXT0MXexc7JxSEi?= | 2013-03-19 05:35:57 | Быстрые вклады с прибылью от 30% до 90% ежемесячно! |
Previous Message | Daniel Farina | 2013-03-19 05:27:23 | Re: Optimizing pglz compressor |