Re: US VISA CISP PCI comp. needs SHA1

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: testroom(at)secomintl(dot)com
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: US VISA CISP PCI comp. needs SHA1
Date: 2008-04-02 18:00:42
Message-ID: 47F3C9CA.60100@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Matthew Wetmore wrote:
> Not sure if I posted in correct spot....
>
>
> pg_8.2.6
> Centos5
> Windows based app.
> encryped pwd = yes
> SSL = yes,
> hostssl with explicit IP w/md5. (no pg_crypto)
>
>
>
> We are in process of VISA CISP PCI compliance for our application.
> (online cc auth - no stored cc data) [next phase will include stored cc
> data]
>
> We just heard back today that they would like to use SHA1 for pwd auth.
>
> does anyone have any doco that will support md5 vs. SHA1?
>
> We also have global customers so we understand the us v non-US export stuff.
>
> Any direction is appreciated.
>
>
>

You could use pg_crypto plus application level passwords.

As has been pointed out elsewhere, there is no security virtue in
swapping MD5 password hashing in Postgres for SHA1.

cheers

andrew

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2008-04-02 18:28:00 Re: [GENERAL] SHA1 on postgres 8.3
Previous Message Greg Smith 2008-04-02 17:58:03 Patch queue -> wiki (was varadic patch)