public inbox for [email protected]
help / color / mirror / Atom feedFrom: Nico Williams <[email protected]>
To: ManiR <[email protected]>
Cc: [email protected]
Subject: Re: Request for cryptographic mechanisms used in PostgreSQL
Date: Tue, 20 Jan 2026 14:04:05 -0600
Message-ID: <aW/ftSIGMMXsCzPU@ubby> (raw)
In-Reply-To: <CAA5LiFbFsaE1qT+iDtRf0769HG7nFuGzPDa9AJwTzEauNK8J=g@mail.gmail.com>
References: <CAA5LiFbFsaE1qT+iDtRf0769HG7nFuGzPDa9AJwTzEauNK8J=g@mail.gmail.com>
On Tue, Jan 20, 2026 at 02:47:36PM +0530, ManiR wrote:
> We would like your guidance on the *cryptographic mechanisms used by
> PostgreSQL*, including:
FYI this is the sort of thing where LLMs shine. I would start by asking
an LLM to write this and then I'd have expert humans review it.
Keep in mind that some of the cryptographic mechanism/algorithm usage is
transitive via PostgreSQL's dependencies (e.g., SASL, GSS-API, TLS), but
you might not be interested in expanding that (since you might want to
do separate CBOMs for those.
Keep in mind that some uses are not actually uses, like the PG crypto
extension, which makes cryptography available to PG _applications_.
You should also look at options to _not_ use cryptographic mechanisms.
I.e., options to use cleartext protocols. Obviously it's much worse to
have a cleartext protocol than one that uses, say, 1DES, even though
1DES is so weak as to be useles. Often auditors have a blind spot here.
And it's important not to treat the presence of, say, MD5 as fatal when
it's not being used for security-critical purposes.
IMO,
Nico
--
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Request for cryptographic mechanisms used in PostgreSQL
In-Reply-To: <aW/ftSIGMMXsCzPU@ubby>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox