On Sat, Nov 30, 2013 at 12:10:19PM -0500, Bruce Momjian wrote:
> > Drat, you're quite right. I've always included the full certificate
> > chain in client certs but it's in no way required.
> >
> > I guess that pretty much means maintaining the status quo and documenting
> > it better.
>
> I have developed the attached patch to document this behavior. My goals
> were:
>
> * clarify that a cert can match a remote intermediate or root certificate
> * clarify that the client cert must match a server root.crt
> * clarify that the server cert much match a client root.crt
> * clarify that the root certificate does not have to be specified
> in the client or server cert as long as the remote end has the chain
> to the root
>
> Does it meet these goals? Is it correct?
I have updated the patch, attached, to be clearer about the requirement
that intermediate certificates need a chain to root certificates.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
