On Wed, Jun 3, 2020 at 03:07:30PM +0300, Ants Aasma wrote: > On Tue, 2 Jun 2020 at 20:14, Bruce Momjian <br...@momjian.us> wrote: > > The server certificate should be issued by a certificate authority root > outside of your organization only if you want people outside of your > organization to trust your server certificate, but you are then asking > for the client to only trust an intermediate inside your organization. > The big question is why bother having the server certificate chain to a > root certificat you don't trust when you have no intention of having > clients outside of your organization trust the server certificate. > Postgres could be made to handle such cases, but is is really a valid > configuration we should support? > > > I think the "why" the org cert is not root was already made clear, that is the > copmany policy. I don't think postgres should take a stance whether the > certificate designated as the root of trust is self-signed or claims to get > its > power from somewhere else.
Uh, we sure can. We disallow many configurations that we consider unsafe. openssl allowed a lot of things, and their flexibility make them less secure. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
