Home > mailing lists

Re: what can go in root.crt ? - Mailing list pgsql-hackers

From	Laurenz Albe
Subject	Re: what can go in root.crt ?
Date	May 26, 2020 06:22:13
Msg-id	74fc462353764d11d807976825eb091ef8f6e0f1.camel@cybertec.at Whole thread Raw
In response to	what can go in root.crt ? (Chapman Flack <chap@anastigmatix.net>)
Responses	Re: what can go in root.crt ? (Bruce Momjian <bruce@momjian.us>) Re: what can go in root.crt ? (Chapman Flack <chap@anastigmatix.net>)
List	pgsql-hackers

Tree view

On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> Certificates I get at $work come four layers deep:
> 
> 
> Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> 
>   Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> 
>     Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> 
>       End-entity cert for my server.
> 
> 
> And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> to be what I'm calling trusted in root.crt?

I don't know if there is a way to get this to work, but the
fundamental problem seems that you have got the system wrong.

If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
it as a certification authority.

Yours,
Laurenz Albe

pgsql-hackers by date:

From: Chapman Flack
Date: 26 May 2020, 06:17:46
Subject: Re: what can go in root.crt ?

From: Amit Khandekar
Date: 26 May 2020, 06:36:12
Subject: Re: Inlining of couple of functions in pl_exec.c improves performance

Re: what can go in root.crt ? - Mailing list pgsql-hackers

Previous

Next