On 11/6/15 8:01 AM, Mark Morgan Lloyd wrote:
> Purely out of curiosity, is there any way of using some sort of "web of
> trust" (comparable with GPG or whatever) when verifying server and
> client certificates, rather than going back to a centralised CA?
>
> My apologies if this is a silly question, or if there are fundamental
> reasons why such a thing would be inappropriate. My scenario is that I'm
> looking at multiple PostgreSQL servers (with supporting custom software)
> arranged (approximately) as a tree, with nodes sending notifications to
> their peers as they see changes. I want to make it as easy as possible
> to set up a new server and get it cooperating with the rest, and some
> sort of WoT might be plausible rather than having to wait for the root
> administrator to send keys over a secure channel.
Postgres does support PAM, so you might be able to craft such a solution
using that along with something that support WoT (like GPG).
--
Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX
Experts in Analytics, Data Architecture and PostgreSQL
Data in Trouble? Get it in Treble! http://BlueTreble.com