Thread: Community accounts and SSL

Perhaps management of community accounts should be done via an SSL-enabled web 
site.

On Wed, 2008-03-12 at 20:19 +0100, Peter Eisentraut wrote:
> Perhaps management of community accounts should be done via an SSL-enabled web 
> site.

Not a bad idea. How do we get our hands on a proper signed certificate
for wwwmaster.postgresql.org... SPI?

//Magnus

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 12 Mar 2008 22:04:01 +0100
Magnus Hagander <magnus@hagander.net> wrote:

> 
> On Wed, 2008-03-12 at 20:19 +0100, Peter Eisentraut wrote:
> > Perhaps management of community accounts should be done via an
> > SSL-enabled web site.
> 
> Not a bad idea. How do we get our hands on a proper signed certificate
> for wwwmaster.postgresql.org... SPI?

That is certainly one way, but do we really need that? Isn't a self
signed cert good enough?

Joshua D. Drake


- -- 
The PostgreSQL Company since 1997: http://www.commandprompt.com/ 
PostgreSQL Community Conference: http://www.postgresqlconference.org/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate     PostgreSQL political pundit | Mocker of
Dolphins

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH2EeRATb/zqfZUUQRAqcvAJ0SB8K5B2QM57HL39nF5xOdKYnIIgCfTsqY
ekRzm2LEKJAceFaIwVDVhTk=
=nhFr
-----END PGP SIGNATURE-----

"Joshua D. Drake" <jd@commandprompt.com> writes:
> That is certainly one way, but do we really need that? Isn't a self
> signed cert good enough?

Self-signed certs on a public-facing website scream of amateurism.
Every time someone visits the site, their browser will complain
about it, and quite rightly.

If you wanna do this, you need to pony up some cash to Verisign or
one of the other recognized CAs.
        regards, tom lane

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 12 Mar 2008 17:25:11 -0400
Tom Lane <tgl@sss.pgh.pa.us> wrote:

> "Joshua D. Drake" <jd@commandprompt.com> writes:
> > That is certainly one way, but do we really need that? Isn't a self
> > signed cert good enough?
> 
> Self-signed certs on a public-facing website scream of amateurism.
> Every time someone visits the site, their browser will complain
> about it, and quite rightly.

Well that isn't true. It asks once and that's it. I will admit
though that FF3 certainly makes it abundantly clear that it doesn't like
it that first time. As far as the amateurism, opinion vary :).

> 
> If you wanna do this, you need to pony up some cash to Verisign or
> one of the other recognized CAs.

Well like I said, we can do that. If that is the way the community
wants to go. A 5 year wildcard cert which could be used across all
subdomains is about 500.00.

Sincerely,

Joshua D. Drake



> 
>             regards, tom lane
> 


- -- 
The PostgreSQL Company since 1997: http://www.commandprompt.com/ 
PostgreSQL Community Conference: http://www.postgresqlconference.org/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate     PostgreSQL political pundit | Mocker of
Dolphins

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH2EwZATb/zqfZUUQRAo1/AJoC6oZi3mrVKNA9Uey9HVwmCUACfwCfRHkp
hXTfhn/hzNN6lvIuFxroQrc=
=ZSPd
-----END PGP SIGNATURE-----

On Wed, 2008-03-12 at 14:33 -0700, Joshua D. Drake wrote:
> On Wed, 12 Mar 2008 17:25:11 -0400
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> > "Joshua D. Drake" <jd@commandprompt.com> writes:
> > > That is certainly one way, but do we really need that? Isn't a self
> > > signed cert good enough?
> > 
> > Self-signed certs on a public-facing website scream of amateurism.
> > Every time someone visits the site, their browser will complain
> > about it, and quite rightly.
> 
> Well that isn't true. It asks once and that's it. I will admit
> though that FF3 certainly makes it abundantly clear that it doesn't like
> it that first time. As far as the amateurism, opinion vary :).

It does not. If you click the proper button in your browser, it doesn't
even let you in. If you click the second-least-improper one, it will
complain every time. Only if you pick the one option you're really not
supposed to pick, does it only complain once.

I dunno aobut other browsers, but in firefox the "bitch again next
session" is the default, and in modern IE versions, not letting you in
at all is the default.

Using a self-signed certificate is only secure if you somehow distribute
the self-signed certificate to all clients but a different, secure,
path.


> > If you wanna do this, you need to pony up some cash to Verisign or
> > one of the other recognized CAs.
> 
> Well like I said, we can do that. If that is the way the community
> wants to go. A 5 year wildcard cert which could be used across all
> subdomains is about 500.00.

Wildcard cert might be an option. I don't recall which browsers they are
supported these days. It's also a potential security issue - we can't
use them on something like a shared host somewhere. Perhaps one, or when
we get more requirements a couple, of regular certificates is a better
way to go?

The free option is to use CACert. It's not included by default in any
browser (I think - maybe some really new one has it), but it does have
an actual statement of trust along with it.

//Magnus

On Wed, 12 Mar 2008 14:33:13 -0700 Joshua D. Drake wrote:

> On Wed, 12 Mar 2008 17:25:11 -0400
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> > "Joshua D. Drake" <jd@commandprompt.com> writes:
> > > That is certainly one way, but do we really need that? Isn't a self
> > > signed cert good enough?
> > 
> > Self-signed certs on a public-facing website scream of amateurism.
> > Every time someone visits the site, their browser will complain
> > about it, and quite rightly.
> 
> Well that isn't true. It asks once and that's it. I will admit
> though that FF3 certainly makes it abundantly clear that it doesn't like
> it that first time. As far as the amateurism, opinion vary :).

Yes, you can tell your browser not to complain again, that's true but
that's not what you want.

How should i know who issued the cert in the first place? Was it you,
Joshua, was the cert issued and signed by the www team or was it some
hacker just sitting in the middle between my dsl and the postgresql
infrastructure?


> > If you wanna do this, you need to pony up some cash to Verisign or
> > one of the other recognized CAs.
> 
> Well like I said, we can do that. If that is the way the community
> wants to go. A 5 year wildcard cert which could be used across all
> subdomains is about 500.00.

We could also try CACert.


Kind regards

--             Andreas 'ads' Scherbaum
German PostgreSQL User Group
European PostgreSQL User Group - Board of Directors

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


> The free option is to use CACert. It's not included by default in any
> browser (I think - maybe some really new one has it), but it does have
> an actual statement of trust along with it.

Not having it by default in the browser is not going to work either. I've
been waiting on years for cacert to get their act together and at least
get included in FireFox but it doesn't look like it's going to happen.

I don't think we need a wildcard, we just need this for a single box,
right? That's less than $50 a year in today's competitive market.
Let's just buy one and be done with it.

- --
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200803121808
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAkfYVGkACgkQvJuQZxSWSsj8IwCfXQ8hs6PXLanjij16cnpn+GK+
azAAoPLJOPboPb6DgrhQjZ5uJxioDJ6p
=Priy
-----END PGP SIGNATURE-----