From: | Shay Rojansky <roji(at)roji(dot)org> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | pgsql-docs(at)lists(dot)postgresql(dot)org |
Subject: | Re: Update encryption options doc for SCRAM-SHA-256 |
Date: | 2018-02-03 17:55:59 |
Message-ID: | CADT4RqAGnex7B-eqv5ZzTaD6S22HcypzqsXa_GegRMo3343QGA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
Thanks for your attention to this.
I'm definitely not a cryptography expert, but it seems to me that the
actual mechanisms (MD5, SHA-256) are more important than the protocols used
to negotiate them (SASL, SCRAM). When some security expert unfamiliar with
PostgreSQL goes over itss documentation to determine whether it's secure, I
think it's important to make sure that the word SHA-256 is actually there.
On Sat, Feb 3, 2018 at 8:30 AM, Peter Eisentraut <
peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> On 2/2/18 18:42, PG Doc comments form wrote:
> > The following documentation comment has been logged on the website:
> >
> > Page: https://www.postgresql.org/docs/10/static/encryption-options.html
> > Description:
> >
> > Section "18.8. Encryption Options" only mentions MD5 as the password
> storage
> > encryption mechanism, although PostgreSQL 10 introduced the superior
> SHA256
> > - somebody looking at the docs would get a bad idea of PostgreSQL's
> > capabilities...
>
> I propose the attached patch. I have combined the password storage and
> password transmission items, because I don't want to go into the details
> of how SCRAM works on the wire.
>
> --
> Peter Eisentraut http://www.2ndQuadrant.com/
> PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
>
From | Date | Subject | |
---|---|---|---|
Next Message | PG Doc comments form | 2018-02-05 10:16:55 | Developer |
Previous Message | Peter Eisentraut | 2018-02-03 16:30:51 | Re: Update encryption options doc for SCRAM-SHA-256 |