Re: reducing our reliance on MD5

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> We've already got a sufficiency of external authentication mechanisms.
>> If people wanted to use non-built-in authentication, we'd not be having
>> this discussion.

> Just to be clear- lots of people *do* use the external authentication
> mechanisms we provide, particularly Kerberos/GSSAPI. SASL would bring
> us quite a few additional mechanisms (SQL-based, Berkley DB, one-time
> passwords, RSA SecurID, etc..) and would mean we might be able to
> eventually drop direct GSSAPI and LDAP support and have a better
> alternative for those who want to use password-based auth.

My point is that we already have got a lot of external authentication
mechanisms, and it's completely unclear (to me anyway) that there is
any demand for another one. The unsatisfied demand is for a *built in*
mechanism, specifically one that people have more faith in than MD5.
Those who worry about that and don't mind having additional moving parts
have probably already migrated to one or another of the existing external
solutions.

While I won't stand in the way of somebody adding support for an external
SASL library, I think such work has got basically zero to do with the
actual problem.

regards, tom lane