public inbox for [email protected]help / color / mirror / Atom feed
Community accounts and SSL 8+ messages / 6 participants [nested] [flat]
* Community accounts and SSL @ 2008-03-12 19:19 Peter Eisentraut <[email protected]> 0 siblings, 1 reply; 8+ messages in thread From: Peter Eisentraut @ 2008-03-12 19:19 UTC (permalink / raw) To: pgsql-www Perhaps management of community accounts should be done via an SSL-enabled web site. ^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: Community accounts and SSL @ 2008-03-12 21:04 Magnus Hagander <[email protected]> parent: Peter Eisentraut <[email protected]> 0 siblings, 1 reply; 8+ messages in thread From: Magnus Hagander @ 2008-03-12 21:04 UTC (permalink / raw) To: Peter Eisentraut <[email protected]>; +Cc: pgsql-www On Wed, 2008-03-12 at 20:19 +0100, Peter Eisentraut wrote: > Perhaps management of community accounts should be done via an SSL-enabled web > site. Not a bad idea. How do we get our hands on a proper signed certificate for wwwmaster.postgresql.org... SPI? //Magnus ^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: Community accounts and SSL @ 2008-03-12 21:13 Joshua D. Drake <[email protected]> parent: Magnus Hagander <[email protected]> 0 siblings, 1 reply; 8+ messages in thread From: Joshua D. Drake @ 2008-03-12 21:13 UTC (permalink / raw) To: Magnus Hagander <[email protected]>; +Cc: Peter Eisentraut <[email protected]>; pgsql-www -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Mar 2008 22:04:01 +0100 Magnus Hagander <[email protected]> wrote: > > On Wed, 2008-03-12 at 20:19 +0100, Peter Eisentraut wrote: > > Perhaps management of community accounts should be done via an > > SSL-enabled web site. > > Not a bad idea. How do we get our hands on a proper signed certificate > for wwwmaster.postgresql.org... SPI? That is certainly one way, but do we really need that? Isn't a self signed cert good enough? Joshua D. Drake - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate PostgreSQL political pundit | Mocker of Dolphins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH2EeRATb/zqfZUUQRAqcvAJ0SB8K5B2QM57HL39nF5xOdKYnIIgCfTsqY ekRzm2LEKJAceFaIwVDVhTk= =nhFr -----END PGP SIGNATURE----- ^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: Community accounts and SSL @ 2008-03-12 21:25 Tom Lane <[email protected]> parent: Joshua D. Drake <[email protected]> 0 siblings, 1 reply; 8+ messages in thread From: Tom Lane @ 2008-03-12 21:25 UTC (permalink / raw) To: Joshua D. Drake <[email protected]>; +Cc: Magnus Hagander <[email protected]>; Peter Eisentraut <[email protected]>; pgsql-www "Joshua D. Drake" <[email protected]> writes: > That is certainly one way, but do we really need that? Isn't a self > signed cert good enough? Self-signed certs on a public-facing website scream of amateurism. Every time someone visits the site, their browser will complain about it, and quite rightly. If you wanna do this, you need to pony up some cash to Verisign or one of the other recognized CAs. regards, tom lane ^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: Community accounts and SSL @ 2008-03-12 21:33 Joshua D. Drake <[email protected]> parent: Tom Lane <[email protected]> 0 siblings, 2 replies; 8+ messages in thread From: Joshua D. Drake @ 2008-03-12 21:33 UTC (permalink / raw) To: Tom Lane <[email protected]>; +Cc: Magnus Hagander <[email protected]>; Peter Eisentraut <[email protected]>; pgsql-www -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Mar 2008 17:25:11 -0400 Tom Lane <[email protected]> wrote: > "Joshua D. Drake" <[email protected]> writes: > > That is certainly one way, but do we really need that? Isn't a self > > signed cert good enough? > > Self-signed certs on a public-facing website scream of amateurism. > Every time someone visits the site, their browser will complain > about it, and quite rightly. Well that isn't true. It asks once and that's it. I will admit though that FF3 certainly makes it abundantly clear that it doesn't like it that first time. As far as the amateurism, opinion vary :). > > If you wanna do this, you need to pony up some cash to Verisign or > one of the other recognized CAs. Well like I said, we can do that. If that is the way the community wants to go. A 5 year wildcard cert which could be used across all subdomains is about 500.00. Sincerely, Joshua D. Drake > > regards, tom lane > - -- The PostgreSQL Company since 1997: http://www.commandprompt.com/ PostgreSQL Community Conference: http://www.postgresqlconference.org/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate PostgreSQL political pundit | Mocker of Dolphins -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH2EwZATb/zqfZUUQRAo1/AJoC6oZi3mrVKNA9Uey9HVwmCUACfwCfRHkp hXTfhn/hzNN6lvIuFxroQrc= =ZSPd -----END PGP SIGNATURE----- ^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: Community accounts and SSL @ 2008-03-12 22:00 Magnus Hagander <[email protected]> parent: Joshua D. Drake <[email protected]> 1 sibling, 1 reply; 8+ messages in thread From: Magnus Hagander @ 2008-03-12 22:00 UTC (permalink / raw) To: Joshua D. Drake <[email protected]>; +Cc: Tom Lane <[email protected]>; Peter Eisentraut <[email protected]>; pgsql-www On Wed, 2008-03-12 at 14:33 -0700, Joshua D. Drake wrote: > On Wed, 12 Mar 2008 17:25:11 -0400 > Tom Lane <[email protected]> wrote: > > > "Joshua D. Drake" <[email protected]> writes: > > > That is certainly one way, but do we really need that? Isn't a self > > > signed cert good enough? > > > > Self-signed certs on a public-facing website scream of amateurism. > > Every time someone visits the site, their browser will complain > > about it, and quite rightly. > > Well that isn't true. It asks once and that's it. I will admit > though that FF3 certainly makes it abundantly clear that it doesn't like > it that first time. As far as the amateurism, opinion vary :). It does not. If you click the proper button in your browser, it doesn't even let you in. If you click the second-least-improper one, it will complain every time. Only if you pick the one option you're really not supposed to pick, does it only complain once. I dunno aobut other browsers, but in firefox the "bitch again next session" is the default, and in modern IE versions, not letting you in at all is the default. Using a self-signed certificate is only secure if you somehow distribute the self-signed certificate to all clients but a different, secure, path. > > If you wanna do this, you need to pony up some cash to Verisign or > > one of the other recognized CAs. > > Well like I said, we can do that. If that is the way the community > wants to go. A 5 year wildcard cert which could be used across all > subdomains is about 500.00. Wildcard cert might be an option. I don't recall which browsers they are supported these days. It's also a potential security issue - we can't use them on something like a shared host somewhere. Perhaps one, or when we get more requirements a couple, of regular certificates is a better way to go? The free option is to use CACert. It's not included by default in any browser (I think - maybe some really new one has it), but it does have an actual statement of trust along with it. //Magnus ^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: Community accounts and SSL @ 2008-03-12 22:06 Andreas 'ads' Scherbaum <[email protected]> parent: Joshua D. Drake <[email protected]> 1 sibling, 0 replies; 8+ messages in thread From: Andreas 'ads' Scherbaum @ 2008-03-12 22:06 UTC (permalink / raw) To: pgsql-www On Wed, 12 Mar 2008 14:33:13 -0700 Joshua D. Drake wrote: > On Wed, 12 Mar 2008 17:25:11 -0400 > Tom Lane <[email protected]> wrote: > > > "Joshua D. Drake" <[email protected]> writes: > > > That is certainly one way, but do we really need that? Isn't a self > > > signed cert good enough? > > > > Self-signed certs on a public-facing website scream of amateurism. > > Every time someone visits the site, their browser will complain > > about it, and quite rightly. > > Well that isn't true. It asks once and that's it. I will admit > though that FF3 certainly makes it abundantly clear that it doesn't like > it that first time. As far as the amateurism, opinion vary :). Yes, you can tell your browser not to complain again, that's true but that's not what you want. How should i know who issued the cert in the first place? Was it you, Joshua, was the cert issued and signed by the www team or was it some hacker just sitting in the middle between my dsl and the postgresql infrastructure? > > If you wanna do this, you need to pony up some cash to Verisign or > > one of the other recognized CAs. > > Well like I said, we can do that. If that is the way the community > wants to go. A 5 year wildcard cert which could be used across all > subdomains is about 500.00. We could also try CACert. Kind regards -- Andreas 'ads' Scherbaum German PostgreSQL User Group European PostgreSQL User Group - Board of Directors ^ permalink raw reply [nested|flat] 8+ messages in thread
* Re: Community accounts and SSL @ 2008-03-12 22:09 Greg Sabino Mullane <[email protected]> parent: Magnus Hagander <[email protected]> 0 siblings, 0 replies; 8+ messages in thread From: Greg Sabino Mullane @ 2008-03-12 22:09 UTC (permalink / raw) To: pgsql-www -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > The free option is to use CACert. It's not included by default in any > browser (I think - maybe some really new one has it), but it does have > an actual statement of trust along with it. Not having it by default in the browser is not going to work either. I've been waiting on years for cacert to get their act together and at least get included in FireFox but it doesn't look like it's going to happen. I don't think we need a wildcard, we just need this for a single box, right? That's less than $50 a year in today's competitive market. Let's just buy one and be done with it. - -- Greg Sabino Mullane [email protected] PGP Key: 0x14964AC8 200803121808 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAkfYVGkACgkQvJuQZxSWSsj8IwCfXQ8hs6PXLanjij16cnpn+GK+ azAAoPLJOPboPb6DgrhQjZ5uJxioDJ6p =Priy -----END PGP SIGNATURE----- ^ permalink raw reply [nested|flat] 8+ messages in thread
end of thread, other threads:[~2008-03-12 22:09 UTC | newest] Thread overview: 8+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2008-03-12 19:19 Community accounts and SSL Peter Eisentraut <[email protected]> 2008-03-12 21:04 ` Magnus Hagander <[email protected]> 2008-03-12 21:13 ` Joshua D. Drake <[email protected]> 2008-03-12 21:25 ` Tom Lane <[email protected]> 2008-03-12 21:33 ` Joshua D. Drake <[email protected]> 2008-03-12 22:00 ` Magnus Hagander <[email protected]> 2008-03-12 22:09 ` Greg Sabino Mullane <[email protected]> 2008-03-12 22:06 ` Andreas 'ads' Scherbaum <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox