> Good, then we're in agreement that far.
>
>
Cool!
> (FWIW, I don't think I've ever seen a PostgreSQL server with a
> certificate off a global root. I've seen plenty off a corporate root
> though, which could in theory have similar issues - but at least you're
> in control of your own problem in that case)
>
OK, now describe client behavior for me. Is the average client
configured to accept:
1) No roots (but still works for some unknown reason)
2) Explicitly configured corporate roots
3) Explicitly configured corporate roots, AND global roots
4) Global roots (but still works for some unknown reason)
Keep in mind that at least Debian distributes a ca-certificates package,
and I can't imagine they're alone.
> Yes, I think that's fair. You *can* do the verification yourself, but
> libpq will not do it for you.
>
> Only I will claim that the common deployment, as you refer to above,
> *is* with a custom root. PostgreSQL server are *very* seldom "published
> to the internet", and therefor tend not to use the global CA roots.
>
So one of the nastier aspects of the DNS bug is that internal
communication may get routed out to the Internet, because it's DNS that
keeps things behind the firewall. If SSL is being used, the
*presumption* is that there's a MITM we want to defend against.