| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Martijn van Oosterhout" <kleptog(at)svana(dot)org>, "Florian Weimer" <fw(at)deneb(dot)enyo(dot)de>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Upcoming re-releases |
| Date: | 2006-02-11 17:21:42 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCEA0F77B@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> > If you stick a root certificate (root.crt in ~/.postgresql)
> for it to
> > validate against, it will be validated against that root.
> I'm not sure
> > if it validates the common name of the cert though - that
> would be an
> > issue if you're using a global CA. If you're using a local
> enterprise
> > CA, that's a much smaller issue (because you yourself have total
> > control over who gets certificates issued by the CA).
>
> But in either case, it would only be checking that the cert
> had been issued by that CA, no? Unless you set up a CA that
> only ever issues certificates to your PG server, someone else
> with a cert from the CA could still impersonate. Or am I
> mistaken about that?
Correct. But if you run your own enterprise CA, that's exactly the kind
of thing you can make sure - that nobody else has a certificate from
that CA.
But no, it wouldn't be bad if there was a way to specify exactly which
cert is used. Or at least validate the common name of it agains the
hostname of the server.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2006-02-11 17:25:29 | Re: PostgreSQL 8.0.6 crash |
| Previous Message | Florian Weimer | 2006-02-11 17:21:04 | Re: Upcoming re-releases |