On Tue, Mar 05, 2024 at 11:50:36AM +0100, Daniel Gustafsson wrote:
>> On 4 Mar 2024, at 23:49, Nathan Bossart <nathandbossart@gmail.com> wrote:
>> * Should this be a "Warning" and/or moved to the top of the page? This
>> seems like a relatively important notice that folks should see when
>> beginning to use pgcrypto.
>
> Good question. If we do we'd probably need to move other equally important
> bits of information from "Security Limitations" as well so perhaps it's best to
> keep it as is for now, or putting it under Notes.
Fair point.
>> * Should we actually document the exact list of algorithms along with
>> detailed reasons? This list seems prone to becoming outdated.
>
> If we don't detail the list then I think that it's not worth doing, doing the
> research isn't entirely trivial as one might not even know where to look or
> what to look for.
>
> I don't think this list will move faster than we can keep up with it,
> especially since it's more or less listing everything that pgcrypto supports at
> this point.
Also fair. Would updates to this list be back-patched?
> Looking at this some more I propose that we also remove the table of hash
> benchmarks, as it's widely misleading. Modern hardware can generate far more
> than what we list here, and it gives the impression that these algorithms can
> only be broken with brute force which is untrue. The table was first published
> in 2008 and hasn't been updated since.
It looks like it was updated in 2013 [0] (commit d6464fd). If there are
still objections to removing it, I think it should at least be given its
decennial update.
[0] https://postgr.es/m/CAPVvHdPj5rmf294FbWi2TuEy%3DhSxZMNjTURESaM5zY8P_wCJMg%40mail.gmail.com
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com