* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> I think I agree with Martin on this. The server doesn't fail if you
> don't provide it a root cert; it just doesn't try to trace client certs
> to the root. It is not apparent why the client should be stricter than
> that, and definitely not apparent why such strictness should be the
> default behavior.
I agree with this. Avoiding spoofing is good, but so is on the wire
encryption even if you don't have anti-spoofing. This is a reasonable
set-up and we shouldn't just fail on it.
Stephen