21.12. Certificate Authentication, terminology

Поиск
Список
Период
Сортировка
От PG Doc comments form
Тема 21.12. Certificate Authentication, terminology
Дата
Msg-id 167216179974.662.6948231317202060798@wrigleys.postgresql.org
обсуждение исходный текст
Список pgsql-docs
Дерево обсуждения 
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/15/auth-cert.html
Description:

Re: https://www.postgresql.org/docs/current/auth-cert.html and "21.12.
Certificate Authentication"

"Certificate Authentication" as used in this context is typically called
"Mutual Authentication."

The term "Certificate Authentication" does not make a lot of sense since a
user agent is almost always authenticating the server using a X.509
certificate. When only the server authenticates itself, its usually referred
to as "Server Authentication" or less frequently "One-way Authentication."

The use of Pre-Shared Keys (PSK) and Secure Remote Passwords (SRP) are kind
of rare. The cipher suites perform Mutual Authentication without the need
for certificates. Ironically, PSK and SRP provide channel binding, which
improves security of the channel by binding authentication to channel setup.
The parties mutually authenticate or the channel setup fails. Channel
binding via PSK and SRP should be used more frequently then it is.

From RFC 8446, Section 1:

   1.  Introduction

   The primary goal of TLS is to provide a secure channel between two
   communicating peers; the only requirement from the underlying
   transport is a reliable, in-order data stream.  Specifically, the
   secure channel should provide the following properties:

   -  Authentication: The server side of the channel is always
      authenticated; the client side is optionally authenticated.
      Authentication can happen via asymmetric cryptography (e.g., RSA
      [RSA], the Elliptic Curve Digital Signature Algorithm (ECDSA)
      [ECDSA], or the Edwards-Curve Digital Signature Algorithm (EdDSA)
      [RFC8032]) or a symmetric pre-shared key (PSK).

From RFC 8446, Appendix E:

   E.1.  Handshake

   The TLS handshake is an Authenticated Key Exchange (AKE) protocol
   which is intended to provide both one-way authenticated (server-only)
   and mutually authenticated (client and server) functionality.  At the
   completion of the handshake, each side outputs its view of the
   following values: ...

[1] https://www.rfc-editor.org/rfc/rfc8446

В списке pgsql-docs по дате отправления:

Предыдущее
От: Laurenz Albe
Дата:
Сообщение: Re: Fix broken event trigger example
Следующее
От: Will Mortensen
Дата:
Сообщение: [PATCH] two minor fixes to MVCC docs