>> 2. I can't see any possible way that matching a single component could >> create security holes that would be eliminated by matching multiple >> components, but I'm more skeptical about the other direction. What >> about the old DNS hack where you create a DNS record for >> example.com.sample.com and hijack connections intended for example.com >> made by people whose default DNS suffix is sample.com? There may be >> reason to believe this isn't a problem, but matching less seems like >> it can't possibly be a bad thing. > > Right, but that's all about being careful not to give out certs like > "*.postgres.*".
Errrr...no. The point is that if you've hacked sample.com's DNS server, you might have a cert for *.sample.com, but you might NOT have a cert for example.com. ...Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers