On Friday 10 April 2009 21:32:29 Stephen Frost wrote:
> A properly configured server could cause a failure too unless the client
> is *also* properly configured. Sure, it's good for people to do. No, I
> don't think we should break things if people don't build out a whole PKI
> for PG and configure all their certs correctly. It's pie-in-the-sky to
> think everyone will do that, and in the end most will just say "SSL
> breaks stuff, so we'll disable it" which certainly isn't better.
That's debatable. I think it's better.
> > But it's a default, so the user can change it.
>
> It should be the default to connect, maybe with a warning.
If you connect with a warning, you have possibly already given up sensitive
information. That's no good.
> > Consider the analogy that a new web browser comes out that verifies
> > server certificates (as of course all respectable browsers do nowadays)
> > whereas the previous version one didn't. The right fix there is
> > certainly not to downgrade this to a warning when connecting to an older
> > web server.
>
> Uh, no, the right fix is to have a warning/prompt (as pretty much all
> web browsers today do) but then continue to connect.
Yes, this was under discussion a while ago but no one wanted to implement it.
> Also, the
> web-browser analogy completely falls apart when you consider that the
> use case is significantly different (how many times have you connected
> to a PG server that you didn't know?).
This is a fuzzy argument. What do you mean by "know", and how do you verify
what you "know" and whether what you "know" is correct? And why are you using
SSL at all if you think you "know" everything?