* Tom Lane (t...@sss.pgh.pa.us) wrote: > I think I agree with Martin on this. The server doesn't fail if you > don't provide it a root cert; it just doesn't try to trace client certs > to the root. It is not apparent why the client should be stricter than > that, and definitely not apparent why such strictness should be the > default behavior.
I agree with this. Avoiding spoofing is good, but so is on the wire
encryption even if you don't have anti-spoofing. This is a reasonable
set-up and we shouldn't just fail on it.
Stephen
signature.asc
Description: Digital signature
