> On 24 Sep 2020, at 21:22, Robert Haas <robertmh...@gmail.com> wrote: > > On Thu, Sep 24, 2020 at 1:57 PM Peter Eisentraut > <peter.eisentr...@2ndquadrant.com> wrote: >> Depends on what one considers to be covered by FIPS. The entire rest of >> SCRAM is custom code, so running it on top of the world's greatest >> SHA-256 implementation isn't going to make the end product any more >> trustworthy. > > I mean, the issue here, as is so often the case, is not what is > actually more secure, but what meets the terms of some security > standard.
Correct, IIUC in order to be FIPS compliant all cryptographic modules used must be FIPS certified. > At least in the US, FIPS 140-2 compliance is a reasonably > common need, so if we can make it easier for people who have that need > to be compliant, they are more likely to use PostgreSQL, which seems > like something that we should want. The proposed patch makes SCRAM+FIPS work for 14, question is if we need/want to try and address v10-13. cheers ./daniel
