| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | testroom(at)secomintl(dot)com |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: US VISA CISP PCI comp. needs SHA1 |
| Date: | 2008-04-02 18:00:42 |
| Message-ID: | 47F3C9CA.60100@dunslane.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Matthew Wetmore wrote:
> Not sure if I posted in correct spot....
>
>
> pg_8.2.6
> Centos5
> Windows based app.
> encryped pwd = yes
> SSL = yes,
> hostssl with explicit IP w/md5. (no pg_crypto)
>
>
>
> We are in process of VISA CISP PCI compliance for our application.
> (online cc auth - no stored cc data) [next phase will include stored cc
> data]
>
> We just heard back today that they would like to use SHA1 for pwd auth.
>
> does anyone have any doco that will support md5 vs. SHA1?
>
> We also have global customers so we understand the us v non-US export stuff.
>
> Any direction is appreciated.
>
>
>
You could use pg_crypto plus application level passwords.
As has been pointed out elsewhere, there is no security virtue in
swapping MD5 password hashing in Postgres for SHA1.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2008-04-02 18:28:00 | Re: [GENERAL] SHA1 on postgres 8.3 |
| Previous Message | Greg Smith | 2008-04-02 17:58:03 | Patch queue -> wiki (was varadic patch) |