Re: Trust intermediate CA for client certificates
| От | Ian Pilcher |
|---|---|
| Тема | Re: Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 529CF69F.6030200@gmail.com обсуждение исходный текст |
| Ответ на | Re: Trust intermediate CA for client certificates (Andrew Dunstan <andrew@dunslane.net>) |
| Ответы |
Re: Trust intermediate CA for client certificates
|
| Список | pgsql-hackers |
On 12/02/2013 02:29 PM, Andrew Dunstan wrote: > Wouldn't that amount to only partially trusting the root? It seems kinda > odd. In any case, It's not something I think Postgres needs to solve. I think that the fundamental problem is that authentication and authorization are being conflated. From the OpenSSL point-of-view, it is checking that the client certificate is valid (not expired, signed by a trusted chain of CAs, etc.); i.e. it's only doing authentication. PostgreSQL is trusting any client certificate that is validated by OpenSSL. It's essentially trusting OpenSSL to do both authentication and authorization, but OpenSSL isn't doing the latter. Does PostgreSQL need to solve this? I don't know, but it certainly would be a nice capability to have -- if only to avoid the confusion that currently surrounds the issue. -- ======================================================================== Ian Pilcher arequipeno@gmail.com Sent from the cloud -- where it's alreadytomorrow ========================================================================
В списке pgsql-hackers по дате отправления: