On 12/02/2013 03:21 PM, Ian Pilcher wrote:
On 12/02/2013 02:17 PM, Tom Lane wrote:
Ian Pilcher <arequip...@gmail.com> writes:
Yes.  And the problem is that there is no way to prevent OpenSSL from
accepting intermediate certificates supplied by the client.  As a
result, the server cannot accept client certificates signed by one
intermediate CA without also accepting *any* client certificate that can
present a chain back to the root CA.
Isn't that sort of the point?

I'm not sure what you're asking.  The desired behavior (IMO) would be to
accept client certificates signed by some intermediate CAs without
accepting any client certificate that can present a chain back to the
trusted root.  This is currently not possible, mainly due to the way
that OpenSSL works.



Wouldn't that amount to only partially trusting the root? It seems kinda odd. In any case, It's not something I think Postgres needs to solve.

cheers

andrew


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to