Re: RFC 9266: Channel Bindings for TLS 1.3 support
| От | Nico Williams |
|---|---|
| Тема | Re: RFC 9266: Channel Bindings for TLS 1.3 support |
| Дата | |
| Msg-id | aSKm2BqNm0gP4Lkm@ubby обсуждение исходный текст |
| Ответ на | Re: RFC 9266: Channel Bindings for TLS 1.3 support (* Neustradamus * <neustradamus@hotmail.com>) |
| Список | pgsql-hackers |
On Sun, Nov 23, 2025 at 01:44:18AM +0000, * Neustradamus * wrote: > Links of XEPs are here to confirm that "tls-exporter" is needed and > already used. How are XEPs relevant to PG? > Several people would like to deprecate "tls-server-end-point" (RFC > 5929) like Simon Josefsson (author of several RFCs), that you know of > course, because RFC 9266 exists since July 2022: I responded to that. Simon did not respond to my last message. Silence might denote acquiescence, or it might not, but at any rate there is currently no effort to obsolete TSEP. > For example, he is the GNU SASL maintainer and he does not want to add > tls-server-end-point support: That's his right. > So it is really important to support "tls-exporter". I don't disagree with that. It's not because TSEP might get obsoleted. One issue that arises is that if you support more than one kind of CB then you need to be able to negotiate it (for some value of negotiation anyways; if the server doesn't want the client's choice, you can just fail, but de minimis you really need to be able to tell the user why authentication failed). Nico --
В списке pgsql-hackers по дате отправления: