Not sure if I posted in correct spot....


pg_8.2.6
Centos5
Windows based app.
encryped pwd = yes
SSL = yes,
hostssl with explicit IP w/md5. (no pg_crypto)



We are in process of VISA CISP PCI compliance for our application.
(online cc auth - no stored cc data) [next phase will include stored cc
data]

We just heard back today that they would like to use SHA1 for pwd auth.

does anyone have any doco that will support md5 vs. SHA1?

We also have global customers so we understand the us v non-US export stuff.

Any direction is appreciated.

Thanks in advance.

/matthew wetmore

--

Matthew Wetmore
Secom International, Inc
9610 Bellanca, Ave.
Los Angeles, CA 90045
310-641-1290


This e-mail is intended for the addressee shown. It contains information
that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or
unauthorized employees of the intended organisations is strictly
prohibited.
The contents of this email do not necessarily represent the views or
policies of Secom International Inc., or its employees.

Search Discussions

  • Alvaro Herrera at Apr 2, 2008 at 5:52 pm

    Matthew Wetmore wrote:

    We just heard back today that they would like to use SHA1 for pwd auth.
    Why would anyone want to do something so pointless?

    --
    Alvaro Herrera http://www.CommandPrompt.com/
    The PostgreSQL Company - Command Prompt, Inc.
  • Andrew Dunstan at Apr 2, 2008 at 6:01 pm

    Matthew Wetmore wrote:
    Not sure if I posted in correct spot....


    pg_8.2.6
    Centos5
    Windows based app.
    encryped pwd = yes
    SSL = yes,
    hostssl with explicit IP w/md5. (no pg_crypto)



    We are in process of VISA CISP PCI compliance for our application.
    (online cc auth - no stored cc data) [next phase will include stored cc
    data]

    We just heard back today that they would like to use SHA1 for pwd auth.

    does anyone have any doco that will support md5 vs. SHA1?

    We also have global customers so we understand the us v non-US export stuff.

    Any direction is appreciated.

    You could use pg_crypto plus application level passwords.

    As has been pointed out elsewhere, there is no security virtue in
    swapping MD5 password hashing in Postgres for SHA1.

    cheers

    andrew

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppgsql-hackers @
categoriespostgresql
postedApr 2, '08 at 5:29p
activeApr 2, '08 at 6:01p
posts3
users3
websitepostgresql.org...
irc#postgresql

People

Translate

site design / logo © 2022 Grokbase