Re: SCRAM with channel binding downgrade attack
| От | Michael Paquier |
|---|---|
| Тема | Re: SCRAM with channel binding downgrade attack |
| Дата | |
| Msg-id | 20180528012328.GA5093@paquier.xyz обсуждение исходный текст |
| Ответ на | Re: SCRAM with channel binding downgrade attack (Michael Paquier <michael@paquier.xyz>) |
| Ответы |
Re: SCRAM with channel binding downgrade attack
|
| Список | pgsql-hackers |
On Sat, May 26, 2018 at 11:42:38PM +0900, Michael Paquier wrote: > On Sat, May 26, 2018 at 09:08:50AM -0400, Bruce Momjian wrote: >> On Sat, May 26, 2018 at 08:32:20AM +0900, Michael Paquier wrote: >>> >>> OK, I can live with that as well. So we'll go in the direction of two >>> parameters then: >>> - scram_channel_binding, which can use "prefer" (default), "require" or >>> "disable". >>> - scram_channel_binding_name, developer option to choose the type of >>> channel binding, with "tls-unique" (default) and "tls-server-end-point". >>> We could also remove the prefix "scram_". Ideas of names are welcome. >> >> scram_channel_binding_method? > > Or scram_channel_binding_type. The first sentence of RFC 5929 uses this > term. I just went with scram_channel_binding_mode (require, disable and prefer) and scram_channel_binding_type as parameter names, in the shape of the attached patch. >> Do we really know someone is going to want to actually specify the >> channel binding type? If it is only testing, maybe we don't need to >> document this parameter. > > Keeping everything documented is useful as well for new developers, as > they need to guess less from the code. So I would prefer seeing both > connection parameters documented, and mentioning directly in the docs if > a parameter is for developers or not. So done this way. Feel free to pick me up at PGcon this week if you wish to discuss this issue. Docs, tests and a commit message are added. -- Michael
Вложения
В списке pgsql-hackers по дате отправления: