The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/15/auth-cert.html Description:
Re: https://www.postgresql.org/docs/current/auth-cert.html and "21.12. Certificate Authentication" "Certificate Authentication" as used in this context is typically called "Mutual Authentication." The term "Certificate Authentication" does not make a lot of sense since a user agent is almost always authenticating the server using a X.509 certificate. When only the server authenticates itself, its usually referred to as "Server Authentication" or less frequently "One-way Authentication." The use of Pre-Shared Keys (PSK) and Secure Remote Passwords (SRP) are kind of rare. The cipher suites perform Mutual Authentication without the need for certificates. Ironically, PSK and SRP provide channel binding, which improves security of the channel by binding authentication to channel setup. The parties mutually authenticate or the channel setup fails. Channel binding via PSK and SRP should be used more frequently then it is. From RFC 8446, Section 1: 1. Introduction The primary goal of TLS is to provide a secure channel between two communicating peers; the only requirement from the underlying transport is a reliable, in-order data stream. Specifically, the secure channel should provide the following properties: - Authentication: The server side of the channel is always authenticated; the client side is optionally authenticated. Authentication can happen via asymmetric cryptography (e.g., RSA [RSA], the Elliptic Curve Digital Signature Algorithm (ECDSA) [ECDSA], or the Edwards-Curve Digital Signature Algorithm (EdDSA) [RFC8032]) or a symmetric pre-shared key (PSK). From RFC 8446, Appendix E: E.1. Handshake The TLS handshake is an Authenticated Key Exchange (AKE) protocol which is intended to provide both one-way authenticated (server-only) and mutually authenticated (client and server) functionality. At the completion of the handshake, each side outputs its view of the following values: ... [1] https://www.rfc-editor.org/rfc/rfc8446
