Re: Password identifiers, protocol aging and SCRAM protocol

Robert, all,

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Fri, Mar 18, 2016 at 9:31 AM, Michael Paquier
> <michael(dot)paquier(at)gmail(dot)com> wrote:
> > That's not an issue for me to rebase this set of patches. The only
> > conflicts that I anticipate are on 0009, but I don't have high hopes
> > to get this portion integrating into core for 9.6, the rest of the
> > patches is complicated enough, and everyone bandwidth is limited.
>
> I really think we ought to consider pushing this whole thing out to
> 9.7. I don't see how we're going to get all of this into 9.6, and
> these are big, user-facing changes that I don't think we should rush
> into under time pressure. I think it'd be better to do this early in
> the 9.7 cycle so that it has time to settle before the time crunch at
> the end. I predict this is going to have a lot of loose ends that are
> going to take months to settle, and we don't have that time right now.

I'm not sure that I agree with the above. This patch has been through
the ringer multiple times regarding the user-facing bits and, by and
large, the results appear reasonable. Further, getting a better auth
method into PG is something which I do view as a priority considering
the concerns and complaints that have been, justifiably, raised against
our current password-based authentication support.

This isn't a new patch set either, it was submitted initially over the
summer after it was pointed out, over a year ago, that people actually
do care about the problems with our current implementation (amusingly, I
recall having pointed out the same 5+ years ago, but only did so to this
list).

I've been following along on this patch set and asked David to spend
time reviewing it as I feel that it's stil got a chance for 9.6, since
it's been through multiple CF rounds and has had a fair bit of
discussion, review, and consideration.

> And I'd rather see all of the changes in one release than split them
> across two releases.

I agree with this. If we aren't going to get SCRAM into 9.6 then the
rest is just breaking things with little benefit. I'm optomistic that
we will be able to include SCRAM support in 9.6, but if that ends up not
being feasible then we need to put all of the changes to the next
release.

I do think that if we push this off to 9.7 then we're going to have
SCRAM *plus* a bunch of other changes around password policies in that
release, and it'd be better to introduce SCRAM independently of the
other changes.

All that said, this is just my voice from having followed this thread
and discussing it with David and I'm not trying to force anything. It'd
certainly be nice to have and to be able to tell people that we do have
a strong and recognized approach to password-based authentication in PG,
but I've long been telling everyone that they should be using GSSAPI
and/or SSL and can continue to do so for another year if necessary.

Thanks!

Stephen