Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1q2EmB-00032P-Im for pgsql-hackers@arkaria.postgresql.org; Thu, 25 May 2023 17:29:23 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1q2Em8-0000tC-JM for pgsql-hackers@arkaria.postgresql.org; Thu, 25 May 2023 17:29:20 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1q2Em8-0000t3-9T for pgsql-hackers@lists.postgresql.org; Thu, 25 May 2023 17:29:20 +0000 Received: from tamriel.snowman.net ([70.109.60.50]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1q2Em5-0026oU-6W for pgsql-hackers@lists.postgresql.org; Thu, 25 May 2023 17:29:19 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id 526B35F7BA; Thu, 25 May 2023 13:29:12 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=snowman.net; s=dkim; t=1685035752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lEizzWYIRrUl7Zun8nHSmOEkhKpOEWkV4f2Z9IH9qDI=; b=apFnK/u1gPMUwJFJ33KsGCbozYfQJ1yaYn7/U/WET1EBfenSjJK4Zv0re6uXEctfBXsGjL HccZqUS+GGMkP3RBESoOul+IU4z8G15bWSLuMv3HRstk/5+u8FtbUOZi3UK/GBXPZShBZL mas9rRWFQvaZbMb68m7iV8Cr8CNV+Bw= Date: Thu, 25 May 2023 13:29:12 -0400 From: Stephen Frost To: Jacob Champion Cc: Daniel Gustafsson , PostgreSQL Hackers , "Jonathan S. Katz" , Michael Paquier Subject: Re: Docs: Encourage strong server verification with SCRAM Message-ID: References: <69EC75B8-3A75-43D9-9A2A-61BF6571247B@yesql.se> <2cdec255-6514-705b-0a4e-0cfb06dbddd7@timescale.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="AgPsqsPxtWbVyRot" Content-Disposition: inline In-Reply-To: <2cdec255-6514-705b-0a4e-0cfb06dbddd7@timescale.com> User-Agent: Mutt/2.1.4 (2021-12-11) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --AgPsqsPxtWbVyRot Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Jacob Champion (jchampion@timescale.com) wrote: > On 5/24/23 05:04, Daniel Gustafsson wrote: > >> On 23 May 2023, at 23:02, Stephen Frost wrote: > >> Perhaps more succinctly- maybe we should be making adjustments to the > >> current language instead of just adding a new paragraph. > >=20 > > +1 >=20 > I'm 100% on board for doing that as well, but the "instead of" > suggestion makes me think I didn't explain my goal very well. For > example, Stephen, you said >=20 > > I have to admit that the patch as presented strikes me as a warning > > without really providing steps for how to address the issues mentioned > > though; there's a reference to what was just covered at the bottom but > > nothing really new. >=20 > but the last sentence of my patch *is* the suggested step: >=20 > > + ... It's recommended to employ strong server > > + authentication, using one of the above anti-spoofing measures, t= o prevent > > + these attacks. I was referring specifically to that ordering as not being ideal or in line with the rest of the flow of that section. We should integrate the concerns higher in the section where we outline the reason these things matter and then follow those with the specific steps for how to address them, not give a somewhat unclear reference from the very bottom back up to something above. Thanks, Stephen --AgPsqsPxtWbVyRot Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEwf6gbxKhD863zrx/7WyKOINHZFUFAmRvmuYACgkQ7WyKOINH ZFViZA/+NHdYoUUiu8uchotztXeuiMGYNhAXCv9ByBLyfvqdGytUx+vxf4/vPnRy ACzZlAUviKH9YUKzmOZXVhXksqqZh6CsFbt/7XnOr4VsJ8fZVpd9jGRBDfEYBcyF IkbuMlnBSJtSLjUN/xXaZdIOPYkutq5f7MuG0uzUq84zR85WV0y8UhWnIxoKlsES LOJoipdDjfkxdweFuJE6oMOCrL720lfENkpLN1riDql0pBX4ew8qD5NN/GvJVTtT 9DRo2oVPW6PiU6Gckz4fmk22ujj1JIfUfjJjWAKhA1954QgDPqT5J2jRXrAWTpIt WpPYPdeH73te8pCTHBhsgPw6gJbXPbQcg6WBapOUKiyaPwqCjSFfYgxskK7brOPo YThVz0jq4S2bM6VCQ48qfVR9xf9elX+wYvgYKxEKvPvwNNoCwHyZl8ug6fG6CLA8 H13trsVCDEt1yqYXS+SA0d2hQjVLOc7X+8xsdykSO4+ZG1GgSvkxuRllKmP2Nrnz O6RKxkGwDN6Uyo2RvLtSfpznzfRPhqSR9DuvH+6c292zM/Dt+kz5Y2AlH+NAorBc +PD90TRZwL0ML+O1DhNsk4ZIqTu2WAPig5ogXJurSR6miJ5kh7xAAG47QWyKQ62N HyNlDFyM3bZoZzn3fRHpb462Ub+TTXYC9dp3yOjw43X0J2Ekb2k= =QOcZ -----END PGP SIGNATURE----- --AgPsqsPxtWbVyRot--