public inbox for [email protected]
help / color / mirror / Atom feedFrom: olivier cano <[email protected]>
To: [email protected]
Subject: Proposal: Supporting URI SAN in Certificate Authentication
Date: Fri, 27 Mar 2026 14:20:40 +0100
Message-ID: <CAPGgoKq0t9p4O5eQfdwV1Jnv=0bpw4KsJ6_U98CAGbGr-Ero+Q@mail.gmail.com> (raw)
Hello PostgreSQL Hackers,
I’d like to open the discussion about adding support for URI Subject
Alternative Names (URI SAN) in PostgreSQL certificate authentication.
Today, PostgreSQL only supports extracting identity from the certificate
Subject (CN or full DN). This limits interoperability with modern workload
identity systems that rely on URI-based identities:
* Cockroach Labs added URI SAN support for SPIFFE/SPIRE:
https://www.cockroachlabs.com/blog/zero-trust-database-authentication-spiffe-spire
* The IETF WIMSE Working Group is standardizing URI-based workload
identities: https://datatracker.ietf.org/group/wimse/about
Proposal: Allow certificate authentication to use URI SAN entries as the
client identity (e.g. via a clientname=uri option in pg_hba.conf), in
addition to the existing CN/DN options.
Questions:
* Is there interest in this feature from the community?
* Are there known objections or prior discussions around using SAN (and
specifically URI SAN) for identity in PostgreSQL auth?
* How should multiple URI SAN entries be handled (first match, require
uniqueness, mapping rules, etc.)?
Thanks,
Olivier Cano
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Proposal: Supporting URI SAN in Certificate Authentication
In-Reply-To: <CAPGgoKq0t9p4O5eQfdwV1Jnv=0bpw4KsJ6_U98CAGbGr-Ero+Q@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox