On Wed, Jan 17, 2018 at 09:09:50AM +0900, Michael Paquier wrote:
> On Tue, Jan 16, 2018 at 11:21:22AM -0500, Bruce Momjian wrote:
> > On Tue, Jan 16, 2018 at 02:33:05PM +0900, Michael Paquier wrote:
> > > This bit is important. I am happy that your patch mentions that
> > > intermediate certificates avoid the need to store root ones on the
> > > client. Should the docs mention terms like "chain of trust"?
> >
> > I think the question is how much do we want to "teach" people in our
> > docs. We do oddly but wisely link from our docs to HP OpenVMS docs
> > about how the chain of trust works:
> >
> > http://h41379.www4.hpe.com/doc/83final/ba554_90007/ch04s02.html
> >
> > I will write up a paragraph about the concepts for our docs for the
> > group's review.
>
> As a separate patch, I think that it would be fine as well.
I ended up merging the "chain of trust" changes into the "intermediate"
patch since they affect adjacent sections of the docs. You can see this
as the first attached patch.
> > > Perhaps the docs could also include an example of command to create a
> > > root and an intermediate certificate in runtime.sgml or such?
> >
> > Yes, I have thought about that. My presentation has clear examples that
> > we can use, again based on Stephen and David's scripts using v3_ca. I
> > will work up a possible patch for that too.
>
> That too.
I did that as a separate patch, which is the second attachment.
> > > On top of that, src/test/ssl does not provide any kind of coverage for
> > > that. It would be an area of improvement for those tests.
> >
> > Wow, I have no idea how to do that. Let me look. Seems I have more
> > work to do.
>
> You would need to update src/test/ssl/Makefile to generate those
> intermediate CAs, and then make ServerSetup::switch_server_cert smarter
> in the way the series of certificates are handled. A suggestion I have
> would be to create each certificate file separately and change the
> routine so as it uses an array in input, the order of the items defining
> what's the order the the data. For the client there is sslrootcert, so I
> guess that a small routine able to take a set of certs and append them
> to a single file would make it as well (switch_server_cert should use
> it).
I don't think I will work on the testing changes.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
