*** Bruce Momjian <pgman@candle.pha.pa.us> [13:42 Mon 23.Dec]:
> > > > -rw-r--r-- 1 postgres postgres 3223 Dec 18 17:10 server.crt
> > > > -rw-r--r-- 1 postgres postgres 887 Dec 18 17:10 server.key
> > >
> > > I think it wants the private key file to be mode 600 or less --- a
> > > world-readable private key isn't very private, hmm?
> >
> > Is this a good candidate for error message improvement?
>
> Yes. I will take care of it.
and one more suggestion, as this feature is a little bit to strong IMHO.
Common practice for such files (private keys) is to make them owned by
root user and postgres group with 640 mode. Root is an example of user
which has right to change keys. group readable flag is necesary for
postgres for accessing it, while write permission is not.
its not possible to use such protection schema with current pgsql, while
protection level is the same with both solution.
.radek.