On 6/6/18 18:04, Michael Paquier wrote: > On Wed, Jun 06, 2018 at 11:53:06PM +0300, Heikki Linnakangas wrote: >> That would certainly be good. We've always had that problem, even with md5 >> -> plaintext password downgrade, and it would be nice to fix it. It's quite >> late in the release cycle already, do you think we should address that now? >> I could go either way.. > > I would be inclined to treat that as new development as this is no new > problem.
I agree.
Agreed as well.
I'm wondering if that means we should then also not do it specifically for scram in this version. Otherwise we're likely to end up with a parameter that only has a "lifetime" of one version, and that seems like a bad idea. If nothing else we should clearly think out what the path is to make sure that doesn't happen. (e.g. we don't want a scram_channel_binding_mode=require in this version, if the next one is going to replace it with something like heikkis suggested allowed_authentication_methods=SCRAM-SHA-256-PLUS or whatever we end up coming up with there).