Skip site navigation (1) Skip section navigation (2)

Re: US VISA CISP PCI comp. needs SHA1

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: testroom(at)secomintl(dot)com
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: US VISA CISP PCI comp. needs SHA1
Date: 2008-04-02 18:00:42
Message-ID: (view raw or whole thread)
Lists: pgsql-hackers

Matthew Wetmore wrote:
> Not sure if I posted in correct spot....
> pg_8.2.6
> Centos5
> Windows based app.
> encryped pwd = yes
> SSL = yes,
> hostssl with explicit IP w/md5. (no pg_crypto)
> We are in process of VISA CISP PCI compliance for our application.
> (online cc auth - no stored cc data) [next phase will include stored cc
> data]
> We just heard back today that they would like to use SHA1 for pwd auth.
> does anyone have any doco that will support md5 vs. SHA1?
> We also have global customers so we understand the us v non-US export stuff.
> Any direction is appreciated.

You could use pg_crypto plus application level passwords.

As has been pointed out elsewhere, there is no security virtue in 
swapping MD5 password hashing in Postgres for SHA1.



In response to

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2008-04-02 18:28:00
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Previous:From: Greg SmithDate: 2008-04-02 17:58:03
Subject: Patch queue -> wiki (was varadic patch)

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group