Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w677S-003xv6-0u for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Mar 2026 13:20:58 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w677P-009qeN-1V for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Mar 2026 13:20:55 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w677P-009qeE-0Z for pgsql-hackers@lists.postgresql.org; Fri, 27 Mar 2026 13:20:55 +0000 Received: from mail-pj1-x102a.google.com ([2607:f8b0:4864:20::102a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w677N-00000001K0O-2o1g for pgsql-hackers@lists.postgresql.org; Fri, 27 Mar 2026 13:20:54 +0000 Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-35a288a2c00so981445a91.2 for ; Fri, 27 Mar 2026 06:20:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774617653; cv=none; d=google.com; s=arc-20240605; b=GuBLMB8rExjfvsnsniRjNiczXjmYOtFOY4fFK3qu9xDxtlTXlzgLZLK5M+XI5JP+jO XsLOVeAH/zS+vRsxhycjcDZtiUSr+xXzEltnuD3MTPXB5CQInKQ4gj9Sa+KeNoju2UOM Dg2HTo4NDCoWCfV4HbxRYbiIZ3PCg/AeW4ajeEBhB0O+h4Y2igu55DMqQklXM7kER+tJ 8MdTyp10FHdFfYQ0+SZNoGPF+yqqCvRAPzY+cOH83Db+auhJZwB8ST2wQT1wRTLO0r74 om/KOXBsucjcoa3knjuBZUHBBXJF4vHFAJhHpq3DBEnUXX//ecgQ0DeNdTK3Wn+2YuuF Oi9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=mJueG+4xntamHn19G9TfHBMKIcBzgbv3Etunj+/ZwGw=; fh=nwNxTtLLPTU0ewfLM7SSbrjMajMl+wwnFkCY/fi90vE=; b=ZnRiIjuxdRxC2F7P5YS16b1pl3CN7oOyPHQoiEPT5iafDi5Txq8tZn248dVk6d0Nhc OVx97o2pCWJgtk0Ot+0nYqSdSMkeipfSUYXgueo3cybrVc63LJXWAkkn+zujWdtJ8rfh Erq7hatDw7cmUPUH0bsR9VhRKYg5P4QenruIYh8x5Smy8ZC/RMMVZMCJzcnvwBYWAE0u g5gEIPsm2kqbzoa6+gMnhuHKhn0o99nfbnjoWSxSAt8q6bzjd5U7N6XA5d7YRmv5RpNr brGDU/wCAOATgmz02XNLbYZbterSAOWUydf9ObX395lWfQ1xaab00DyV29KwV4+ByIVL RQgQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774617653; x=1775222453; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=mJueG+4xntamHn19G9TfHBMKIcBzgbv3Etunj+/ZwGw=; b=Fln7xS9TfdjllEEw1G7OL97Mi12H+iLIfaeWOd4CxkT1Y7XmI2KzvlOMrJUK9Y44cK XrNvrZCVx0RIGWkV90zEKOuAiBw/b4EZT4TGo1vX2/ncTePB9DmLBQTowIcQM/EhioxV Mibo4QDHkacoleM5/OYiBZL+RYaklMmE0byUVNIFMSkru54/SBM3/yXCYZNhMD5fLR0t JYgpQe2KD93ERbQGaRDeOrfwOBf3Hqh53nSAsqiMVsVMrJcm6nWmjul6ogRLUAvwBGzP 3BLoEFmEsKJW1Gk+gGB5o0Ud5HhzyhBN9UGfcLPcQwMX9YtaebF+DJucMJerP0WmGhJA JGLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774617653; x=1775222453; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mJueG+4xntamHn19G9TfHBMKIcBzgbv3Etunj+/ZwGw=; b=ITh5LUVodQkZFuRNZVgsvo61bOqbUDqxXXEGuQhsFfOp3pMYyaf3qMa05cEQUW1ppc on9X/W6L99jGIC7B2AR+RPMRLBEohCTW45nB6hzJFdb3OkDjKqwCNAgycG1KQ0tRyxqs kJUXOkUWrhflOHc5zt+tHCkIXMiXGFXprVSr/tCKyIXYsebQjB6fwP25nWuJaVRHIW3u 2Hsw+WHQorcRvUI2U34wl2UdKwxgCvFWvu8vAwElr36K5RH8nUN0Z7fgqhw7ccVjqdpU lNnX46xi9TB1cP74U/ywFqfTvycnGjE2jDD8thY6f6A4tpwHRdY+3ygMepHS26EWtruT ExJw== X-Gm-Message-State: AOJu0YxWGOBIRtpDhYDh+4h5F3If+N9d1nW9iym5Ae0uXcUxcSIt87qj 5YonHPpugTFWDtegJmusbAGplaPFS+g3ecOxk33QaSNje47EA5uTloeddTvVrgKaOD6Onj2YcM8 XAM4sEe8iVedHRrPnQljA8HLIZdpbBZQuu/CA X-Gm-Gg: ATEYQzwnhc24FT3+CpOA8zDweHGd5mBVGLbKB1tzgMmVygcfSzVFCa/l72+5BVb7CkN vBwIegilO1qoZS6iD/OuM2yTmjz/zMZ4KNfcMU1d9jWpmsziTniYm2r/Dmv2Hs1oHKhKOHZUY1g qH1+NFwrOG7xlliAPkyXWUO2+DbkiEwgD3FoTUZjVCr5NUkvU/IuqdUdw2S7/C/ugumvxTT+vZS UnL1ptyDQOdSEevVAbH7AtE4BqUnGfqrKsbGINpV1UDoAO/VlEByvJnd7B3Dktswx3jvStZCoC9 cICUBVW09g== X-Received: by 2002:a17:90b:3e8b:b0:359:ff8a:ee4c with SMTP id 98e67ed59e1d1-35c2ff7a998mr2765930a91.11.1774617652405; Fri, 27 Mar 2026 06:20:52 -0700 (PDT) MIME-Version: 1.0 From: olivier cano Date: Fri, 27 Mar 2026 14:20:40 +0100 X-Gm-Features: AQROBzAJbpci8auH9IIYLzM62zC1ZoTubaAKqKs6LVFH1ZhMRQY2A_uoet9USIk Message-ID: Subject: Proposal: Supporting URI SAN in Certificate Authentication To: pgsql-hackers@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000c8aab4064e015e2f" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000c8aab4064e015e2f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello PostgreSQL Hackers, I=E2=80=99d like to open the discussion about adding support for URI Subjec= t Alternative Names (URI SAN) in PostgreSQL certificate authentication. Today, PostgreSQL only supports extracting identity from the certificate Subject (CN or full DN). This limits interoperability with modern workload identity systems that rely on URI-based identities: * Cockroach Labs added URI SAN support for SPIFFE/SPIRE: https://www.cockroachlabs.com/blog/zero-trust-database-authentication-spiff= e-spire * The IETF WIMSE Working Group is standardizing URI-based workload identities: https://datatracker.ietf.org/group/wimse/about Proposal: Allow certificate authentication to use URI SAN entries as the client identity (e.g. via a clientname=3Duri option in pg_hba.conf), in addition to the existing CN/DN options. Questions: * Is there interest in this feature from the community? * Are there known objections or prior discussions around using SAN (and specifically URI SAN) for identity in PostgreSQL auth? * How should multiple URI SAN entries be handled (first match, require uniqueness, mapping rules, etc.)? Thanks, Olivier Cano --000000000000c8aab4064e015e2f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello PostgreSQL Hackers,

I=E2=80= =99d like to open the discussion about adding support for URI Subject Alter= native Names (URI SAN) in PostgreSQL certificate authentication. Today, Pos= tgreSQL only supports extracting identity from the certificate Subject (CN = or full DN). This limits interoperability with modern workload identity sys= tems that rely on URI-based identities:
* Cockroach Labs added URI SAN s= upport for SPIFFE/SPIRE: https://www.cockroachlabs.com/= blog/zero-trust-database-authentication-spiffe-spire
* The IETF WIMS= E Working Group is standardizing URI-based workload identities: https://datatracker.ietf.or= g/group/wimse/about

Proposal: Allow certificate authentication t= o use URI SAN entries as the client identity (e.g. via a clientname=3Duri o= ption in pg_hba.conf), in addition to the existing CN/DN options.

Qu= estions:
* Is there interest in this feature from the community?
* Ar= e there known objections or prior discussions around using SAN (and specifi= cally URI SAN) for identity in PostgreSQL auth?
* How should multiple UR= I SAN entries be handled (first match, require uniqueness, mapping rules, e= tc.)?

Thanks,
Olivier Cano

--000000000000c8aab4064e015e2f--