Thread: "Web of trust" connections
Purely out of curiosity, is there any way of using some sort of "web of trust" (comparable with GPG or whatever) when verifying server and client certificates, rather than going back to a centralised CA? My apologies if this is a silly question, or if there are fundamental reasons why such a thing would be inappropriate. My scenario is that I'm looking at multiple PostgreSQL servers (with supporting custom software) arranged (approximately) as a tree, with nodes sending notifications to their peers as they see changes. I want to make it as easy as possible to set up a new server and get it cooperating with the rest, and some sort of WoT might be plausible rather than having to wait for the root administrator to send keys over a secure channel. -- Mark Morgan Lloyd markMLl .AT. telemetry.co .DOT. uk [Opinions above are the author's, not those of his employers or colleagues]
On 11/6/15 8:01 AM, Mark Morgan Lloyd wrote: > Purely out of curiosity, is there any way of using some sort of "web of > trust" (comparable with GPG or whatever) when verifying server and > client certificates, rather than going back to a centralised CA? > > My apologies if this is a silly question, or if there are fundamental > reasons why such a thing would be inappropriate. My scenario is that I'm > looking at multiple PostgreSQL servers (with supporting custom software) > arranged (approximately) as a tree, with nodes sending notifications to > their peers as they see changes. I want to make it as easy as possible > to set up a new server and get it cooperating with the rest, and some > sort of WoT might be plausible rather than having to wait for the root > administrator to send keys over a secure channel. Postgres does support PAM, so you might be able to craft such a solution using that along with something that support WoT (like GPG). -- Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX Experts in Analytics, Data Architecture and PostgreSQL Data in Trouble? Get it in Treble! http://BlueTreble.com
Jim Nasby wrote: > On 11/6/15 8:01 AM, Mark Morgan Lloyd wrote: >> Purely out of curiosity, is there any way of using some sort of "web of >> trust" (comparable with GPG or whatever) when verifying server and >> client certificates, rather than going back to a centralised CA? >> >> My apologies if this is a silly question, or if there are fundamental >> reasons why such a thing would be inappropriate. My scenario is that I'm >> looking at multiple PostgreSQL servers (with supporting custom software) >> arranged (approximately) as a tree, with nodes sending notifications to >> their peers as they see changes. I want to make it as easy as possible >> to set up a new server and get it cooperating with the rest, and some >> sort of WoT might be plausible rather than having to wait for the root >> administrator to send keys over a secure channel. > > Postgres does support PAM, so you might be able to craft such a solution > using that along with something that support WoT (like GPG). Thanks for that Jim, very interesting suggestion. -- Mark Morgan Lloyd markMLl .AT. telemetry.co .DOT. uk [Opinions above are the author's, not those of his employers or colleagues]