Jim Nasby wrote:
> On 11/6/15 8:01 AM, Mark Morgan Lloyd wrote:
>> Purely out of curiosity, is there any way of using some sort of "web of
>> trust" (comparable with GPG or whatever) when verifying server and
>> client certificates, rather than going back to a centralised CA?
>>
>> My apologies if this is a silly question, or if there are fundamental
>> reasons why such a thing would be inappropriate. My scenario is that I'm
>> looking at multiple PostgreSQL servers (with supporting custom software)
>> arranged (approximately) as a tree, with nodes sending notifications to
>> their peers as they see changes. I want to make it as easy as possible
>> to set up a new server and get it cooperating with the rest, and some
>> sort of WoT might be plausible rather than having to wait for the root
>> administrator to send keys over a secure channel.
>
> Postgres does support PAM, so you might be able to craft such a solution
> using that along with something that support WoT (like GPG).
Thanks for that Jim, very interesting suggestion.
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]