On Wed, Nov 29, 2017 at 7:08 AM, Michael Paquier
<michael(dot)paquier(at)gmail(dot)com> wrote:
> On Wed, Nov 29, 2017 at 2:41 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> On Tue, Nov 28, 2017 at 11:10 AM, Peter Eisentraut
>> <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
>>> I also wonder whether there should be a mechanism to turn off channel
>>> binding from the client. Right now, there is no way to test the
>>> non-PLUS mechanism in an SSL build.
>>
>> I think that would be a good thing to have.
>
> Sure. How do we shape that though? I would think about an extra option
> for a scram-sha-256 entry with channel-binding=on|off|choice, choice
> being what is currently on HEAD with letting the client decide to use
> it or not.
Sorry, mind-slipping of the morning. Having an option from the server
would help in restricting access, so there could be some use for it
but not for testing coverage. Still how do we want to shape that for
the client? I can think of two possibilities:
1) Have a special value in the parameter saslchannelbinding proposed
in patch 0001. For example by specifying "none" then no channel
binding is used.
2) Use a dedicated parameter which is a on-off switch.
Any thoughts?
--
Michael