The following bug has been logged online: Bug reference: 5895 Logged by: Christopher Head Email address: chris2...@hotmail.com PostgreSQL version: 9.0.3 Operating system: Linux amd64 Description: Ability to match more than just CN in client certificate Details:
This is a feature request/wishlist, not a bug. Right now, when using client certificates over SSL for authentication, the username map maps from the Subject Common Name field in the certificate to a username in the database. It would be nice if matches could be done on a few other fields in the certificate. For example, my name is not particularly unusual, so it's reasonable that someone else in the world might (and probably does) have the same name. That doesn't mean I want to give that person access to my database, even if they also get a certificate from e.g. cacert.org! A few fields to match on that would pretty much instantly close this hole would be e-mail address and certificate serial number. While the e-mail address suggestion could be generalized to match an arbitrary subset of the subject's distinguished name fields (e.g. write something like /O=FooOrg/CN=Christopher Head/ to require that both fields must be present with the specified values), matching certificate serial number would be slightly different as the serial number is not part of the distinguished name. It would probably be the most secure field to match on, however, as no CA will ever issue two certificates with the same serial number. E-mail address would be a close second as an address can only be held by one person, though it relies on the CA being able to verify the legitimate owner of the address. -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
