> That is not true. The internet happily allows for active attacks. In
> fact, active attacks are easier on the internet than passive ones.
>
> My concern is, that by having something that we proclaim to be secure, we
> need for it to really be secure.
>
> An HMAC would be a better alternative to the current crypt scheme, as
> it would provide integrity, without the overhead of having privacy.
>
> Of course, HMAC would require the postgres protocol to talk in "packets",
> as it can't accept the data as being valid until it verifies the MAC. I'm
> not familiar with the protocol yet.
>
> I suggest these authentication options:
>
> * password - The current meaning of password, but with passwords hashed
> using md5crypt() or something. (The usual crypt unneccessarily limits
> passwords to 8 characters)
Once I do crypting of pg_shadow/double-crypt for 7.2, we don't need
password anymore. It is around only for very old clients and for
secondary password files but wWe will not need that workaround with
double-crypt.
> * HMAC - Wrap all postgres data in an HMAC (I believe this requires an
> plaintext-like password on the server as does crypt and the double
> crypt scheme)
No, double-crypt has the passwords stored encrypted.
> * Public Key (RSA/DSA) - Use public key cryptography to negotiate a
> connection. (When I'm not busy, I may decide to do this myself)
SSL?
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026