Re: Trust intermediate CA for client certificates - Mailing list pgsql-hackers

From Andrew Dunstan
Subject Re: Trust intermediate CA for client certificates
Date
Msg-id 529CEDBE.2050105@dunslane.net
Whole thread Raw
In response to Re: Trust intermediate CA for client certificates  (Ian Pilcher <arequipeno@gmail.com>)
Responses Re: Trust intermediate CA for client certificates
List pgsql-hackers
On 12/02/2013 03:21 PM, Ian Pilcher wrote:
> On 12/02/2013 02:17 PM, Tom Lane wrote:
>> Ian Pilcher <arequipeno@gmail.com> writes:
>>> Yes.  And the problem is that there is no way to prevent OpenSSL from
>>> accepting intermediate certificates supplied by the client.  As a
>>> result, the server cannot accept client certificates signed by one
>>> intermediate CA without also accepting *any* client certificate that can
>>> present a chain back to the root CA.
>> Isn't that sort of the point?
>>
> I'm not sure what you're asking.  The desired behavior (IMO) would be to
> accept client certificates signed by some intermediate CAs without
> accepting any client certificate that can present a chain back to the
> trusted root.  This is currently not possible, mainly due to the way
> that OpenSSL works.
>


Wouldn't that amount to only partially trusting the root? It seems kinda 
odd. In any case, It's not something I think Postgres needs to solve.

cheers

andrew



pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Extension Templates S03E11
Next
From: Tom Lane
Date:
Subject: Re: Trust intermediate CA for client certificates