Going over this thread a little bit I'm confused about what is being proposed. I think I understand that we no longer think we have have SCRAM channel binding. I hope that doesn't mean we don't have SCRAM itself. However, in terms of the Postgres release proper, what do we need to do? There is still an open item about this, and I had the impression that if we simply demoted channel binding from a pg11 major feature to barely a footnote that somebody can implement it with some hypothetical future JDBC driver that supports the option, then we're done.
Am I mistaken?
No, we absolutely still have SCRAM channel binding.
*libpq* has no way to *enforce* it, meaning it always acts like our default SSL config which is "use it if available but if it's not then silently accept the downgrade". From a security perspective, it's just as bad as our default ssl config, but unlike ssl you can't configure a requirement in 11.
There is nothing preventing a third party driver like jdbc or npgsql to implement a way to enforce it. I would generally recommend they wait for the outcome of the discussion about parameters and names in order to implement the same semantics, but they don't have to wait for the next postgres release.
It doesn't affect the having of SCRAM at all. That one is still there, and has been since 10.