Re: what can go in root.crt ? - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: what can go in root.crt ?
Date
Msg-id 20200526033632.GI14122@momjian.us
Whole thread Raw
In response to Re: what can go in root.crt ?  (Laurenz Albe <laurenz.albe@cybertec.at>)
List pgsql-hackers
On Tue, May 26, 2020 at 05:22:13AM +0200, Laurenz Albe wrote:
> On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> > Certificates I get at $work come four layers deep:
> > 
> > 
> > Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> > 
> >   Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> > 
> >     Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> > 
> >       End-entity cert for my server.
> > 
> > 
> > And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> > to be what I'm calling trusted in root.crt?
> 
> I don't know if there is a way to get this to work, but the
> fundamental problem seems that you have got the system wrong.
> 
> If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
> it as a certification authority.

It is true that WE ISSUE TO EVERYBODY can create a new intermediate with
the same intemediate name anytime they want.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +



pgsql-hackers by date:

Previous
From: Amit Khandekar
Date:
Subject: Re: Inlining of couple of functions in pl_exec.c improves performance
Next
From: Chapman Flack
Date:
Subject: Re: what can go in root.crt ?