Re: SCRAM in the PG 10 release notes

On 09/18/2017 11:13 AM, Noah Misch wrote:
> On Thu, Sep 14, 2017 at 09:57:36AM +0300, Heikki Linnakangas wrote:
>> On 09/12/2017 04:09 AM, Noah Misch wrote:
>>> On Wed, May 10, 2017 at 10:50:51PM -0400, Bruce Momjian wrote:
>>>> On Mon, May 1, 2017 at 08:12:51AM -0400, Robert Haas wrote:
>>>>> On Tue, Apr 25, 2017 at 10:16 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>>>>>> Well, we could add "MD5 users are encouraged to switch to
>>>>>> SCRAM-SHA-256". Now whether we want to list this as something on the
>>>>>> SCRAM-SHA-256 description, or mention it as an incompatibility, or
>>>>>> under Migration. I am not clear that MD5 is in such terrible shape that
>>>>>> this is warranted.
>>>>>
>>>>> I think it's warranted. The continuing use of MD5 has been a headache
>>>>> for some EnterpriseDB customers who have compliance requirements which
>>>>> they must meet. It's not that they themselves necessarily know or
>>>>> care whether MD5 is secure, although in some cases they do; it's that
>>>>> if they use it, they will be breaking laws or regulations to which
>>>>> their business or agency is subject. I imagine customers of other
>>>>> PostgreSQL companies have similar issues. But leaving that aside, the
>>>>> advantage of SCRAM isn't merely that it uses a better algorithm to
>>>>> hash the password. It has other advantages also, like not being
>>>>> vulnerable to replay attacks. If you're doing password
>>>>> authentication, you should really be using SCRAM, and encouraging
>>>>> people to move to SCRAM after upgrading is a good idea.
>>>>>
>>>>> That having been said, SCRAM is a wire protocol break. You will not
>>>>> be able to upgrade to SCRAM unless and until the drivers you use to
>>>>> connect to the database add support for it. The only such driver
>>>>> that's part of libpq; other drivers that have reimplemented the
>>>>> PostgreSQL wire protocol will have to be updated with SCRAM support
>>>>> before it will be possible to use SCRAM with those drivers. I think
>>>>> this should be mentioned in the release notes, too. I also think it
>>>>> would be great if somebody would put together a wiki page listing all
>>>>> the popular drivers and (1) whether they use libpq or reimplement the
>>>>> wire protocol, and (2) if the latter, the status of any efforts to
>>>>> implement SCRAM, and (3) if those efforts have been completed, the
>>>>> version from which they support SCRAM. Then, I think we should reach
>>>>> out to all of the maintainers of those driver authors who aren't
>>>>> moving to support SCRAM and encourage them to do so.
>>>>
>>>> I have added this as an open item because we will have to wait to see
>>>> where we are with driver support as the release gets closer.
>>>
>>> With the release near, I'm promoting this to the regular open issues section.
>>
>> Thanks.
>>
>> I updated the list of drivers on the wiki
>> (https://wiki.postgresql.org/wiki/List_of_drivers), adding a column for
>> whether the driver supports SCRAM authentication. Currently, the only
>> non-libpq driver that has implemented SCRAM is the JDBC driver. I submitted
>> a patch for the Go driver, but it hasn't been committed yet.
>>
>> As for a recommendation in the release notes, maybe something like
>> "Installations using MD5 authentication are encouraged to switch to
>> SCRAM-SHA-256, unless using older client programs or drivers that don't
>> support it yet."
>
> That sounds reasonable.
>
> This PostgreSQL 10 open item is past due for your status update. Kindly send
> a status update within 24 hours, and include a date for your subsequent status
> update. Refer to the policy on open item ownership:
> https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com

I'm not sure what exactly to do here. Where should we stick that notice?
We could put it in the release notes, where the bullet point about SCRAM
is, but it would be well hidden. If we want to give advice to people who
might not otherwise pay attention, it should go to a more prominent
place. In the "Migration to version 10" section perhaps. Currently, it
only lists incompatibilities, which this isn't. Perhaps put the notice
after the list of incompatibilities (patch attached)?

- Heikki