On ons, 2011-08-10 at 19:29 +0100, Dave Page wrote:
> On Wed, Aug 10, 2011 at 7:06 PM, Peter Eisentraut <peter_e@gmx.net> wrote:
> > I would like to see whether there is support for adding sha1 and sha2
> > functions into the core. These are obviously well-known and widely used
> > functions, but currently the only way to get them is either through
> > pgcrypto or one of the PLs. We could say that's OK, but then we do
> > support md5 in core, which then encourages people to use that, when they
> > really shouldn't use that for new applications.
>
> Slightly different, but related - I've seen complaints that we only
> use md5 for password storage/transmission, which is apparently not
> acceptable under some government security standards. In the most
> recent case, they wanted to be able to use sha256 for password storage
> (transmission isn't really an issue where SSL can be used of course).
Yeah, that's one of those things. These days, using md5 for anything
raises red flags, so it would be better to slowly move some alternatives
into place.
> If we're ready to move more hashing functions into core, then it seems
> reasonable to add more options for password storage to help those who
> need to meet mandated standards.
Yes, that would be good.