Re: Trust intermediate CA for client certificates

On 12/02/2013 02:29 PM, Andrew Dunstan wrote:
> Wouldn't that amount to only partially trusting the root? It seems kinda
> odd. In any case, It's not something I think Postgres needs to solve.

I think that the fundamental problem is that authentication and
authorization are being conflated. From the OpenSSL point-of-view, it
is checking that the client certificate is valid (not expired, signed by
a trusted chain of CAs, etc.); i.e. it's only doing authentication.

PostgreSQL is trusting any client certificate that is validated by
OpenSSL. It's essentially trusting OpenSSL to do both authentication
and authorization, but OpenSSL isn't doing the latter.

Does PostgreSQL need to solve this? I don't know, but it certainly
would be a nice capability to have -- if only to avoid the confusion
that currently surrounds the issue.

--
========================================================================
Ian Pilcher arequipeno(at)gmail(dot)com
Sent from the cloud -- where it's already tomorrow
========================================================================