| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se>, Nathan Bossart <nathandbossart(at)gmail(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Adding deprecation notices to pgcrypto documentation |
| Date: | 2024-03-06 09:57:15 |
| Message-ID: | 3b9f6499-4299-47a9-9595-9828fd3da291@eisentraut.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 05.03.24 11:50, Daniel Gustafsson wrote:
>> * Should we actually document the exact list of algorithms along with
>> detailed reasons? This list seems prone to becoming outdated.
>
> If we don't detail the list then I think that it's not worth doing, doing the
> research isn't entirely trivial as one might not even know where to look or
> what to look for.
>
> I don't think this list will move faster than we can keep up with it,
> especially since it's more or less listing everything that pgcrypto supports at
> this point.
The more detail we provide, the more detailed questions can be asked
about it. Like:
The introduction says certain algorithms are vulnerable to attacks. Is
3DES vulnerable to attacks? Or just deprecated?
What about something like CAST5? This is in the OpenSSL legacy
provider, but I don't think it's know to be vulnerable. Is its status
different from 3DES?
It says MD5 should not be used for digital signatures. But is password
hashing a digital signature? How are these related? Similarly about
SHA-1, which has a different level of detail.
Blowfish is advised against, but by whom? By us?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | li jie | 2024-03-06 10:00:59 | Re: Reduce useless changes before reassembly during logical replication |
| Previous Message | Daniel Gustafsson | 2024-03-06 09:54:28 | Re: pipe_read_line for reading arbitrary strings |