Magnus Hagander wrote:
> On 14 apr 2009, at 04.33, Bruce Momjian <bruce@momjian.us> wrote:
>
> > Magnus Hagander wrote:
> >>> I would actually call the two parameters 'verify-cert' and 'verify-
> >>> cn',
> >>> and document that they also have "require" behavior. Obviously you
> >>> can't verify certificates unless you require SSL.
> >>
> >> I would prefer having "verify", "verify-no-cn" and "no-verify" or
> >> something like that. Making it the "default choice" to have
> >> verification
> >> enabled, and very clear that you're turning something off if you're
> >> not.
> >> And then just map require to verify. Or they could be "require-no-cn"
> >> and "require-no-cert" perhaps?
> >>
> >> ("default choice" only for those using ssl of course - we'd still
> >> have
> >> "disable" as the default *value* of the parameter)
> >
> > I think the "no" options are odd because they have _negative_
> > designations.
>
> That's the intention. When you're turning off something, I think it
> makes sense to use "no"....
But that doesn't scale: sslmode currently has four options, soon
perhaps to be six. The idea is that the items should be of increasing
security, and adding "no" in the middle doesn't allow that to be clear.
In fact there are too many sslmode options to list them in a paragraph;
it should be an SGML table; I will work on that now.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +