Aaron, * Aaron Zauner (a...@azet.org) wrote: > Stephen Frost wrote: > > We're currently looking at getting SCRAM support by implementing SASL, > > but I'm worried that we'll then create a dependency on SASL that people > > won't be happy with and therefore I'm very curious about how difficult > > it'd be to implement proper SCRAM directly. Do you know if there is > > BSD-licensed code (PG is entirely BSD licensed) that implements SCRAM? > > Just to put the idea out there; PGSQL currently links to OpenSSL for > TLS, right? TLS has support for SRP [0] [1]. This could be used for > password based authenticated TLS sessions without client certificates. > Might be less of a burden on users than deploying PKIX with > client-certificates while still providing proper security.
That's an excellent thought.. I wasn't aware of this. Unfortunately,
I'm not sure that we could make it the default in Debian as it requires
server-side certificates be configured and used properly (correct?) but
I don't see a reason to not support it and encourage its use.
Thanks!
Stephen
signature.asc
Description: Digital signature
