On 16 August 2017 at 14:10, Peter Eisentraut
<peter.eisentraut@2ndquadrant.com> wrote:
> The SCRAM salt length is currently set as
>
> /* length of salt when generating new verifiers */
> #define SCRAM_DEFAULT_SALT_LEN 12
>
> without further comment.
>
> I suspect that this length was chosen based on the example in RFC 5802
> (SCRAM-SHA-1) section 5. But the analogous example in RFC 7677
> (SCRAM-SHA-256) section 3 uses a length of 16. Should we use that instead?
16 preferred, IMHO
--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services