On Thu, Feb 13, 2025 at 4:03 PM Michael Paquier <mich...@paquier.xyz> wrote: > > If a CA is issuing Subject data that is somehow dangerous to the > > operation of the server, I think that's a security problem in and of > > itself: there are clientcert HBA modes that don't validate the > > Subject, but they're still going to push that data into the catalogs, > > aren't they? > > Is that the case before we finish authentication now?
No, but I still don't understand why that's relevant. My point is that transport authentication data should be neither less trustworthy prior to ClientAuthentication, nor more trustworthy after it, since it's signed by the same authentication provider that you're trusting to make the authentication decisions in the first place. (But it doesn't seem like we're going to agree on this for now; in the meantime I'll prepare a version of the patch that only calls pgstat_bestart_security() once.) At some point in the future, I would really like to clarify what potential problems there are if we put verified Subject data into the catalogs before ClientAuthentication completes. I think that any such problems would continue to be problems after ClientAuthentication completes, too. Thanks, --Jacob
