Skip site navigation (1) Skip section navigation (2)

Re: US VISA CISP PCI comp. needs SHA1

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: testroom(at)secomintl(dot)com
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: US VISA CISP PCI comp. needs SHA1
Date: 2008-04-02 18:00:42
Message-ID: 47F3C9CA.60100@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers

Matthew Wetmore wrote:
> Not sure if I posted in correct spot....
>
>
> pg_8.2.6
> Centos5
> Windows based app.
> encryped pwd = yes
> SSL = yes,
> hostssl with explicit IP w/md5. (no pg_crypto)
>
>
>
> We are in process of VISA CISP PCI compliance for our application.
> (online cc auth - no stored cc data) [next phase will include stored cc
> data]
>
> We just heard back today that they would like to use SHA1 for pwd auth.
>
> does anyone have any doco that will support md5 vs. SHA1?
>
> We also have global customers so we understand the us v non-US export stuff.
>
> Any direction is appreciated.
>
>
>   

You could use pg_crypto plus application level passwords.

As has been pointed out elsewhere, there is no security virtue in 
swapping MD5 password hashing in Postgres for SHA1.

cheers

andrew

In response to

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2008-04-02 18:28:00
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Previous:From: Greg SmithDate: 2008-04-02 17:58:03
Subject: Patch queue -> wiki (was varadic patch)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group