On 2/26/21 2:55 PM, Jacob Champion wrote: > On Sat, 2021-01-30 at 16:18 -0500, Andrew Dunstan wrote: >> Making incremental additions to the certificate set easier wouldn't be a >> bad thing. >> >> I wonder if we should really be setting 1 as the serial number, though. >> Might it not be better to use, say, `date +%Y%m%d01` rather like we do >> with catalog version numbers? > I have been experimenting a bit with both of these suggestions; hope to > have something in time for commitfest on Monday. Writing new tests for > NSS has run into the same problems you've mentioned. > > FYI, I've pulled the port->peer_dn functionality you've presented here > into my authenticated identity patchset at [1]. > > --Jacob > > [1] > https://www.postgresql.org/message-id/flat/c55788dd1773c521c862e8e0dddb367df51222be.camel%40vmware.com
Cool. I think the thing that's principally outstanding w.r.t. this patch is what format we should use to extract the DN. Should we use RFC2253, which reverses the field order, as has been suggested upthread and is in the latest patch? I'm slightly worried that it might be a POLA violation. But I don't have terribly strong feelings about it. cheers andrew -- Andrew Dunstan EDB: https://www.enterprisedb.com
