| From: | Noah Misch <noah(at)leadboat(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Aleksander Alekseev <a(dot)alekseev(at)postgrespro(dot)ru>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, magnus(at)hagander(dot)net, robertmhaas(at)gmail(dot)com |
| Subject: | Re: SCRAM authentication, take three |
| Date: | 2017-04-16 04:14:21 |
| Message-ID: | 20170416041421.GA2986517@tornado.leadboat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Apr 12, 2017 at 02:33:27AM -0400, Noah Misch wrote:
> On Tue, Apr 11, 2017 at 08:10:23AM +0300, Heikki Linnakangas wrote:
> > On 04/11/2017 04:52 AM, Peter Eisentraut wrote:
> > >On 4/10/17 04:27, Heikki Linnakangas wrote:
> > >>One thing to consider is that we just made the decision that "md5"
> > >>actually means "md5 or scram-sha-256". Extrapolating from that, I think
> > >>we'll want "scram-sha-256" to mean "scram-sha-256 or scram-sha-256-plus"
> > >>(i.e. the channel-bonding variant) in the future. And if we get support
> > >>for scram-sha-512, "scram-sha-256" would presumably allow that too.
> > >
> > >But how would you choose between scram-sha-256-plus and scram-sha-512?
> >
> > Good question. We would need to decide the order of preference for those.
> >
> > That question won't arise in practice. Firstly, if the server can do
> > scram-sha-256-plus, it presumably can also do scram-sha-512-plus. Unless
> > there's a change in the way the channel binding works, such that the
> > scram-sha-512-plus variant needs a newer version of OpenSSL or something.
> > Secondly, the user's pg_authid row will contain a SCRAM-SHA-256 or
> > SCRAM-SHA-512 verifier, not both, so that will dictate which one to use.
>
> [Action required within three days. This is a generic notification.]
>
> The above-described topic is currently a PostgreSQL 10 open item. Heikki,
> since you committed the patch believed to have created it, you own this open
> item. If some other commit is more relevant or if this does not belong as a
> v10 open item, please let us know. Otherwise, please observe the policy on
> open item ownership[1] and send a status update within three calendar days of
> this message. Include a date for your subsequent status update. Testers may
> discover new open items at any time, and I want to plan to get them all fixed
> well in advance of shipping v10. Consequently, I will appreciate your efforts
> toward speedy resolution. Thanks.
>
> [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
This PostgreSQL 10 open item is past due for your status update. Kindly send
a status update within 24 hours, and include a date for your subsequent status
update. Refer to the policy on open item ownership:
https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Noah Misch | 2017-04-16 04:19:17 | Re: Quorum commit for multiple synchronous replication. |
| Previous Message | Tom Lane | 2017-04-16 02:20:49 | Re: OpenSSL 1.1 breaks configure and more |