On Friday 10 April 2009 22:50:02 Tom Lane wrote:
> Peter Eisentraut <peter_e@gmx.net> writes:
> > On Friday 10 April 2009 21:27:54 Stephen Frost wrote:
> >> I agree with this. Avoiding spoofing is good, but so is on the wire
> >> encryption even if you don't have anti-spoofing. This is a reasonable
> >> set-up and we shouldn't just fail on it.
> >
> > This whole debate hinges on the argument that encryption without
> > anti-spoofing is *not* useful.
>
> If we believe that then we need to also change the server to require
> a root.crt.
That would make sense if the server required SSL in the first place. But the
default configuration of the server is to take anything. It would conceivably
be proper to require a stronger client authentication mechanism than "trust"
on hostssl lines. (This doesn't have to be SSL-based client authentication.)
But we ship the server with a wide-open client access policy. Do you want to
change that? I think not. But if packagers want to change that, by all means
set up something stronger.
> I do not believe it --- there is a significant difference
> in the difficulty of passive listening and active spoofing.
Sure, there is a difference. But what is it, and what percentage of users do
you think are affected by it and can judge the difference?