On Thu, 3 Mar 2011 10:20:06 -0500 Robert Haas <robertmh...@gmail.com> wrote:
[snip] > It seems like there are a lot of possible combinations here that could > be useful, so we'd want something that allowed a fairly flexible > specification of what to match. > > Is this a problem you're interested in working on (i.e. contributing > code)? > I agree, it seems like something along the lines of a full distinguished name with the option to leave out fields would make the most sense, plus some way of specifying other fields not in the formal DN (serial #, fingerprint, or so). Thinking about it, serial number is not necessarily ideal either, since one could reasonably want to trust more than one CA. I feel like I'm pretty much saying I want to specify a single certificate, in which case the full PKI is really kind of pointless, but X.509 certificates are for better or worse the only sane way of doing non-password-based authentication over TLS right now, so that's what we've got to work with. As for contributing code, not right now, but sometime in the near future (next handful of months) I might be interested in hacking at this. Chris -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
