From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | testroom(at)secomintl(dot)com |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: US VISA CISP PCI comp. needs SHA1 |
Date: | 2008-04-02 18:00:42 |
Message-ID: | 47F3C9CA.60100@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Matthew Wetmore wrote:
> Not sure if I posted in correct spot....
>
>
> pg_8.2.6
> Centos5
> Windows based app.
> encryped pwd = yes
> SSL = yes,
> hostssl with explicit IP w/md5. (no pg_crypto)
>
>
>
> We are in process of VISA CISP PCI compliance for our application.
> (online cc auth - no stored cc data) [next phase will include stored cc
> data]
>
> We just heard back today that they would like to use SHA1 for pwd auth.
>
> does anyone have any doco that will support md5 vs. SHA1?
>
> We also have global customers so we understand the us v non-US export stuff.
>
> Any direction is appreciated.
>
>
>
You could use pg_crypto plus application level passwords.
As has been pointed out elsewhere, there is no security virtue in
swapping MD5 password hashing in Postgres for SHA1.
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2008-04-02 18:28:00 | Re: [GENERAL] SHA1 on postgres 8.3 |
Previous Message | Greg Smith | 2008-04-02 17:58:03 | Patch queue -> wiki (was varadic patch) |