Home > mailing lists

Re: US VISA CISP PCI comp. needs SHA1 - Mailing list pgsql-hackers

From	Andrew Dunstan
Subject	Re: US VISA CISP PCI comp. needs SHA1
Date	April 2, 2008 18:01:06
Msg-id	47F3C9CA.60100@dunslane.net Whole thread Raw
In response to	US VISA CISP PCI comp. needs SHA1 (Matthew Wetmore <testroom@secomintl.com>)
List	pgsql-hackers

Tree view


Matthew Wetmore wrote:
> Not sure if I posted in correct spot....
>
>
> pg_8.2.6
> Centos5
> Windows based app.
> encryped pwd = yes
> SSL = yes,
> hostssl with explicit IP w/md5. (no pg_crypto)
>
>
>
> We are in process of VISA CISP PCI compliance for our application.
> (online cc auth - no stored cc data) [next phase will include stored cc
> data]
>
> We just heard back today that they would like to use SHA1 for pwd auth.
>
> does anyone have any doco that will support md5 vs. SHA1?
>
> We also have global customers so we understand the us v non-US export stuff.
>
> Any direction is appreciated.
>
>
>   

You could use pg_crypto plus application level passwords.

As has been pointed out elsewhere, there is no security virtue in 
swapping MD5 password hashing in Postgres for SHA1.

cheers

andrew

pgsql-hackers by date:

From: Greg Smith
Date: 02 April 2008, 17:58:11
Subject: Patch queue -> wiki (was varadic patch)

From: Peter Eisentraut
Date: 02 April 2008, 18:28:18
Subject: Re: [GENERAL] SHA1 on postgres 8.3

Re: US VISA CISP PCI comp. needs SHA1 - Mailing list pgsql-hackers

Previous

Next