| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Nico Williams <nico(at)cryptonector(dot)com> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, "* Neustradamus *" <neustradamus(at)hotmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: RFC 9266: Channel Bindings for TLS 1.3 support |
| Date: | 2025-11-21 22:57:26 |
| Message-ID: | CAOYmi+n8zFFKjhz1yb+SPdb_9hYyQWWQtviMx4Dwd5umXjeKKA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Nov 21, 2025 at 11:57 AM Nico Williams <nico(at)cryptonector(dot)com> wrote:
> (I'm very down on SCRAM. I'd much rather have an asymmetric zero-
> knowledge PAKE.)
Hey, get an OPAQUE-PLUS over the line and I bet someone here will take
interest :D
(It's hard for me to be more down on SCRAM than I am on plaintext
LDAP, though. SCRAM's pretty good.)
> I wonder if DANE (DNS-based Authentication of Named Entities [RFC 6698])
> might be a good idea for PG. IMO DANE is a great idea in general, but
> browser communities do not agree yet (for reasons, often to do with
> performance, which I think by and large do not apply to PG).
Possibly. I did briefly look at RPK a few months back, but that was in
the context of a pinned key (i.e. "SSH into Postgres") rather than
with DANE. I feel like I've seen people talking about DANE a lot more
recently? Maybe there'll be momentum for that at some point.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2025-11-21 23:14:56 | Re: index prefetching |
| Previous Message | Corey Huinker | 2025-11-21 22:41:15 | Re: Extended Statistics set/restore/clear functions. |