On Mon, Dec 2, 2013 at 12:44:08PM -0500, Bruce Momjian wrote:
> On Sat, Nov 30, 2013 at 12:10:19PM -0500, Bruce Momjian wrote:
> > > Drat, you're quite right. I've always included the full certificate
> > > chain in client certs but it's in no way required.
> > >
> > > I guess that pretty much means maintaining the status quo and documenting
> > > it better.
> >
> > I have developed the attached patch to document this behavior. My goals
> > were:
> >
> > * clarify that a cert can match a remote intermediate or root certificate
> > * clarify that the client cert must match a server root.crt
> > * clarify that the server cert much match a client root.crt
> > * clarify that the root certificate does not have to be specified
> > in the client or server cert as long as the remote end has the chain
> > to the root
> >
> > Does it meet these goals? Is it correct?
>
> I have updated the patch, attached, to be clearer about the requirement
> that intermediate certificates need a chain to root certificates.
Patch applied to head.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ Everyone has their own god. +