Обсуждение: Community accounts and SSL
Perhaps management of community accounts should be done via an SSL-enabled web site.
On Wed, 2008-03-12 at 20:19 +0100, Peter Eisentraut wrote: > Perhaps management of community accounts should be done via an SSL-enabled web > site. Not a bad idea. How do we get our hands on a proper signed certificate for wwwmaster.postgresql.org... SPI? //Magnus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Mar 2008 22:04:01 +0100 Magnus Hagander <magnus@hagander.net> wrote: > > On Wed, 2008-03-12 at 20:19 +0100, Peter Eisentraut wrote: > > Perhaps management of community accounts should be done via an > > SSL-enabled web site. > > Not a bad idea. How do we get our hands on a proper signed certificate > for wwwmaster.postgresql.org... SPI? That is certainly one way, but do we really need that? Isn't a self signed cert good enough? Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate PostgreSQL political pundit | Mocker of Dolphins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH2EeRATb/zqfZUUQRAqcvAJ0SB8K5B2QM57HL39nF5xOdKYnIIgCfTsqY ekRzm2LEKJAceFaIwVDVhTk= =nhFr -----END PGP SIGNATURE-----
"Joshua D. Drake" <jd@commandprompt.com> writes:
> That is certainly one way, but do we really need that? Isn't a self
> signed cert good enough?
Self-signed certs on a public-facing website scream of amateurism.
Every time someone visits the site, their browser will complain
about it, and quite rightly.
If you wanna do this, you need to pony up some cash to Verisign or
one of the other recognized CAs.
regards, tom lane
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Mar 2008 17:25:11 -0400 Tom Lane <tgl@sss.pgh.pa.us> wrote: > "Joshua D. Drake" <jd@commandprompt.com> writes: > > That is certainly one way, but do we really need that? Isn't a self > > signed cert good enough? > > Self-signed certs on a public-facing website scream of amateurism. > Every time someone visits the site, their browser will complain > about it, and quite rightly. Well that isn't true. It asks once and that's it. I will admit though that FF3 certainly makes it abundantly clear that it doesn't like it that first time. As far as the amateurism, opinion vary :). > > If you wanna do this, you need to pony up some cash to Verisign or > one of the other recognized CAs. Well like I said, we can do that. If that is the way the community wants to go. A 5 year wildcard cert which could be used across all subdomains is about 500.00. Sincerely, Joshua D. Drake > > regards, tom lane > - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate PostgreSQL political pundit | Mocker of Dolphins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH2EwZATb/zqfZUUQRAo1/AJoC6oZi3mrVKNA9Uey9HVwmCUACfwCfRHkp hXTfhn/hzNN6lvIuFxroQrc= =ZSPd -----END PGP SIGNATURE-----
On Wed, 2008-03-12 at 14:33 -0700, Joshua D. Drake wrote: > On Wed, 12 Mar 2008 17:25:11 -0400 > Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > "Joshua D. Drake" <jd@commandprompt.com> writes: > > > That is certainly one way, but do we really need that? Isn't a self > > > signed cert good enough? > > > > Self-signed certs on a public-facing website scream of amateurism. > > Every time someone visits the site, their browser will complain > > about it, and quite rightly. > > Well that isn't true. It asks once and that's it. I will admit > though that FF3 certainly makes it abundantly clear that it doesn't like > it that first time. As far as the amateurism, opinion vary :). It does not. If you click the proper button in your browser, it doesn't even let you in. If you click the second-least-improper one, it will complain every time. Only if you pick the one option you're really not supposed to pick, does it only complain once. I dunno aobut other browsers, but in firefox the "bitch again next session" is the default, and in modern IE versions, not letting you in at all is the default. Using a self-signed certificate is only secure if you somehow distribute the self-signed certificate to all clients but a different, secure, path. > > If you wanna do this, you need to pony up some cash to Verisign or > > one of the other recognized CAs. > > Well like I said, we can do that. If that is the way the community > wants to go. A 5 year wildcard cert which could be used across all > subdomains is about 500.00. Wildcard cert might be an option. I don't recall which browsers they are supported these days. It's also a potential security issue - we can't use them on something like a shared host somewhere. Perhaps one, or when we get more requirements a couple, of regular certificates is a better way to go? The free option is to use CACert. It's not included by default in any browser (I think - maybe some really new one has it), but it does have an actual statement of trust along with it. //Magnus
On Wed, 12 Mar 2008 14:33:13 -0700 Joshua D. Drake wrote: > On Wed, 12 Mar 2008 17:25:11 -0400 > Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > "Joshua D. Drake" <jd@commandprompt.com> writes: > > > That is certainly one way, but do we really need that? Isn't a self > > > signed cert good enough? > > > > Self-signed certs on a public-facing website scream of amateurism. > > Every time someone visits the site, their browser will complain > > about it, and quite rightly. > > Well that isn't true. It asks once and that's it. I will admit > though that FF3 certainly makes it abundantly clear that it doesn't like > it that first time. As far as the amateurism, opinion vary :). Yes, you can tell your browser not to complain again, that's true but that's not what you want. How should i know who issued the cert in the first place? Was it you, Joshua, was the cert issued and signed by the www team or was it some hacker just sitting in the middle between my dsl and the postgresql infrastructure? > > If you wanna do this, you need to pony up some cash to Verisign or > > one of the other recognized CAs. > > Well like I said, we can do that. If that is the way the community > wants to go. A 5 year wildcard cert which could be used across all > subdomains is about 500.00. We could also try CACert. Kind regards -- Andreas 'ads' Scherbaum German PostgreSQL User Group European PostgreSQL User Group - Board of Directors
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > The free option is to use CACert. It's not included by default in any > browser (I think - maybe some really new one has it), but it does have > an actual statement of trust along with it. Not having it by default in the browser is not going to work either. I've been waiting on years for cacert to get their act together and at least get included in FireFox but it doesn't look like it's going to happen. I don't think we need a wildcard, we just need this for a single box, right? That's less than $50 a year in today's competitive market. Let's just buy one and be done with it. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200803121808 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAkfYVGkACgkQvJuQZxSWSsj8IwCfXQ8hs6PXLanjij16cnpn+GK+ azAAoPLJOPboPb6DgrhQjZ5uJxioDJ6p =Priy -----END PGP SIGNATURE-----