Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 20131202205943.GQ17272@tamriel.snowman.net
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Ian Pilcher <arequipeno@gmail.com>)
List pgsql-hackers
* Ian Pilcher (arequipeno@gmail.com) wrote:
> On 12/02/2013 02:17 PM, Tom Lane wrote:
> > Ian Pilcher <arequipeno@gmail.com> writes:
> >> Yes.  And the problem is that there is no way to prevent OpenSSL from
> >> accepting intermediate certificates supplied by the client.  As a
> >> result, the server cannot accept client certificates signed by one
> >> intermediate CA without also accepting *any* client certificate that can
> >> present a chain back to the root CA.
> >
> > Isn't that sort of the point?

Yes.

> I'm not sure what you're asking.  The desired behavior (IMO) would be to
> accept client certificates signed by some intermediate CAs without
> accepting any client certificate that can present a chain back to the
> trusted root.  This is currently not possible, mainly due to the way
> that OpenSSL works.

It's not possible because of the way certificate chains are *intended*
to work..  What you're asking for is something which was not a use-case
for certificates.  Cross-organizational trusts were done through
'bridge' CAs, which then can have policies about what attributes are
allowed to pass through a bridge or be trusted from a not-our-root-CA.
Intermediate certificates are not the same thing and were never intended
to be used in the way you're asking for.
Thanks,
    Stephen

pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Trust intermediate CA for client certificates
Next
From: Andrew Dunstan
Date:
Subject: Re: Trust intermediate CA for client certificates