Re: Fwd: [PATCHES] Preliminary GSSAPI Patches

Henry B. Hotz <hotz@jpl.nasa.gov>

From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
To: Magnus Hagander <magnus@hagander.net>
Cc: josh@agliodbs.com, Tom Lane <tgl@sss.pgh.pa.us>, Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>, pgsql-hackers@postgresql.org
Date: 2007-05-02T15:53:08Z
Lists: pgsql-hackers
On May 2, 2007, at 3:11 AM, Magnus Hagander wrote:

>> As to the question of GSSAPI vs SSL, I would never argue we don't
>> want both.
>>
>> Part of what made the GSSAPI encryption mods difficult was my intent
>> to insert them "above" the SSL encryption/buffering layer.  That way
>> you could double-encrypt the channel.  Since GSSAPI and SSL are
>> (probably, not necessarily) referenced to completely different ID
>> infrastructure there are scenarios where that's beneficial.
>
> We might want to consider restructuring how SSL works when we do, that
> might make it easier. The way it is now with #ifdefs all around can  
> lead to
> a horrible mess if there are too many different things to choose from.
> Something like "transport filters" or whatever might be a way to do  
> it. I
> recall having looked at that at some point, but it was too long ago to
> remember any details..
>
> //Magnus

If someone wants to make it easier, that would be nice,  I'm not up  
for it, I don't think.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu