Re: [HACKERS] Some thoughts about SCRAM implementation

On 04/12/2017 08:38 PM, Álvaro Hernández Tortosa wrote:
> - Even though I don't really care about SCRAM, and without having any
> prior knowledge about SCRAM, I volunteered some time ago to study SCRAM,
> give a lightning talk about SCRAM and later write a client
> implementation for the jdbc driver. And I have already devoted a very
> fair amount of time in doing so, and will keep doing that until all code
> is done. Code WIP is here FYI: https://github.com/ahachete/scram. So
> it's not that I haven't already put my code behind my words.

That is very much appreciated! You writing a second implementation of 
the client-side support (libpq being the first) is very, very helpful, 
to validate that the protocol is sane, unambiguous, and adequately 
documented.

> On 12/04/17 18:38, Robert Haas wrote:
>> Furthermore, I think that the state of this feature as it currently
>> exists in the tree is actually kind of concerning.  There are
>> currently four open items pertaining to SCRAM at least two of which
>> look to my mind an awful lot like stuff that should have ideally been
>> handled pre-feature-freeze: \password support, and protocol
>> negotiation.  I'm grateful for the hard work that has gone into this
>> feature, but these are pretty significant loose ends.  \password
>> support is a basic usability issue.  Protocol negotiation affects
>> anyone who may want to make their PG driver work with this feature,
>> and certainly can't be changed after final release, and ideally not
>> even after beta.  We really, really need to get that stuff nailed down
>> ASAP or we're going to have big problems.  So I think we should focus
>> on those things, not this.

Yes, we need to nail down the protocol and \password before beta. I am 
working on them now.

- Heikki