From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Marko Kreen <markokr(at)gmail(dot)com> |
Cc: | Postgres Hackers List <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [9.4] Minor SSL/ECDH related doc fixes |
Date: | 2014-05-28 01:31:08 |
Message-ID: | 20140528013108.GA28490@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, May 17, 2014 at 10:36:59PM +0300, Marko Kreen wrote:
> - Clarify ECDH decription in release notes.
> - Fix default value - it's 'prime256v1'.
> - List curves with good cross-platform support explicitly
> (NIST P-256 / P-384 / P-521).
>
> The -list_curves output is full of garbage, it's hard to know which
> ones make sense to use. Only those three curves are supported
> cross-platform - OpenSSL/Java/Windows - so list them explicitly.
>
> Only reason to tune this value is changing overall security
> level up/down, so now this can be done safely and quickly.
>
> Only upwards though. We could also list here NIST P-192/P-224
> (prime192v1, secp224r1), but those are not supported by Windows.
> And prime256v1 is quite fast already.
>
> In the future it might make philosophical sense to list
> also Brainpool curves (RFC7027), or some new curves from
> http://safecurves.cr.yp.to/ when they are brought to TLS.
> But currently only NIST/NSA curves are working option,
> so let's keep it simple for users.
Attached patch applied. I shortened the release note description.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
Attachment | Content-Type | Size |
---|---|---|
rel.diff | text/x-diff | 2.8 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Gurjeet Singh | 2014-05-28 02:01:11 | Re: Proposing pg_hibernate |
Previous Message | Peter Geoghegan | 2014-05-28 01:13:45 | Re: jsonb failed assertions |