| From: | Christopher Head <chris2k01(at)hotmail(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #5895: Ability to match more than just CN in client certificate |
| Date: | 2011-03-05 05:16:30 |
| Message-ID: | BLU0-SMTP872B40D3F51EE4AE622448F4C50@phx.gbl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Thu, 3 Mar 2011 10:20:06 -0500
Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
[snip]
> It seems like there are a lot of possible combinations here that could
> be useful, so we'd want something that allowed a fairly flexible
> specification of what to match.
>
> Is this a problem you're interested in working on (i.e. contributing
> code)?
>
I agree, it seems like something along the lines of a full
distinguished name with the option to leave out fields would make the
most sense, plus some way of specifying other fields not in the formal
DN (serial #, fingerprint, or so). Thinking about it, serial number is
not necessarily ideal either, since one could reasonably want to trust
more than one CA. I feel like I'm pretty much saying I want to specify
a single certificate, in which case the full PKI is really kind of
pointless, but X.509 certificates are for better or worse the only sane
way of doing non-password-based authentication over TLS right now, so
that's what we've got to work with.
As for contributing code, not right now, but sometime in the near
future (next handful of months) I might be interested in hacking at
this.
Chris
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Allan Registos | 2011-03-05 06:11:54 | BUG #5916: PGAdmin crash |
| Previous Message | Kevin Grittner | 2011-03-04 21:28:27 | Re: BUG #5915: OldSerXidAdd inflates pg_serial too much |