Re: [HACKERS] SCRAM protocol documentation

On 8/11/17 07:18, Michael Paquier wrote:
> The problem is where a username includes characters as a comma or '=',
> which can be avoided if the string is in UTF-8 as the username is
> prepared with SASLprep before being used in the SASL exchange, but we
> have no way now to be sure now that the string is actually in UTF-8.
> If at some point we decide that only things using UTF-8 are good to be
> used during authentication, using the username in the exchange
> messages instead of the one in the startup packet would be fine and
> actually better IMO in the long term. Please note that the
> specification says that both the username and the password must be
> encoded in UTF-8, so we are not completely compliant here. If there is
> something to address, that would be this part.

So we already handle passwords.  Can't we handle user names the same way?

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services