Re: Plans for 8.4

Added to TODO:

* Add 'hostgss' pg_hba.conf option to allow GSS link-level encryption

http://archives.postgresql.org/pgsql-hackers/2008-07/msg01454.php

---------------------------------------------------------------------------

Henry B. Hotz wrote:
> What's the time frame for 8.4?
>
> I'm making no promises, but what would people think of a hostgss hba
> option?
>
> Using it would imply the gssapi/sspi authentication option. It would
> be mutually exclusive of the ssl link-encryption option. It would
> support strong encryption of the whole connection without the need to
> get X509 certs deployed (which would be a big win if you're using
> gssapi/sspi authentication anyway).
>
> The thing that prevented me from including it in the gssapi patches I
> did for 8.3 was that I couldn't disentangle the program logic to the
> point of inserting the gssapi security layer code above the SSL code
> and below everything else. I'm thinking that doing both is pretty
> much an edge case, so I propose to do gssapi security layers instead
> of SSL. The mods are a lot more obvious.
>
> I'm *NOT* proposing to make build support of gssapi security layers
> exclusive of SSL. You might, for example, configure a server to
> support username/password over SSL for intra-net addresses, but
> support gssapi for Internet addresses.
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>
>
>
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +