Re: Daniel Kahn Gillmor 2012-07-04 <4ff45b2e.4070...@fifthhorseman.net> > Will any of the interested parties here be at debconf this coming week?
Not me. > I hope to have a broader discussion about X.509 certificate and key > management across debian on the 14th, and would be happy to have > contributions from interested parties from the postgres community about > what we can do to make cert management better-integrated for debian admins: The snakeoil certs should be the symlink target/postgresql.conf values for now. If the make-ssl-cert infrastructure decides to provide a better default, we will switch to it, but I don't think we should try to fix the "SSL handling in Debian problem" in the postgresql packages. (And frankly, I find SSL with fake certs enabled by default *way* better than shipping a really insecure default config.) I'm not sure if PostgreSQL does anything special that the generic SSL server package doesn't do, but here's a generic idea: Wouldn't it make sense to provide a canonical location for "this host" certificates like /etc/ssl/certs/thishost.crt /etc/ssl/private/thishost.key which would initially be symlinks to the current snakeoil certs? That way, people providing a real "this host" certificate wouldn't need to change N packages. They would just make these two symlinks point to the real files, and be done for most applications. The case of a CA for client certificate validation is probably more difficult, but maybe that should also have a generic default location. I guess the default would be not to share that between applications by default, but I might be wrong. Anyway, a default location that's commented in the default config and just needs to be uncommented would probably a nice service for admins. Christoph -- c...@df7cb.de | http://www.df7cb.de/
signature.asc
Description: Digital signature
