> On 24 Sep 2020, at 21:22, Robert Haas <robertmhaas@gmail.com> wrote:
>
> On Thu, Sep 24, 2020 at 1:57 PM Peter Eisentraut
> <peter.eisentraut@2ndquadrant.com> wrote:
>> Depends on what one considers to be covered by FIPS. The entire rest of
>> SCRAM is custom code, so running it on top of the world's greatest
>> SHA-256 implementation isn't going to make the end product any more
>> trustworthy.
>
> I mean, the issue here, as is so often the case, is not what is
> actually more secure, but what meets the terms of some security
> standard.
Correct, IIUC in order to be FIPS compliant all cryptographic modules used must
be FIPS certified.
> At least in the US, FIPS 140-2 compliance is a reasonably
> common need, so if we can make it easier for people who have that need
> to be compliant, they are more likely to use PostgreSQL, which seems
> like something that we should want.
The proposed patch makes SCRAM+FIPS work for 14, question is if we need/want to
try and address v10-13.
cheers ./daniel