Re: RFC 9266: Channel Bindings for TLS 1.3 support

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>, "* Neustradamus *" <neustradamus@hotmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-11-21T22:57:26Z
Lists: pgsql-hackers
On Fri, Nov 21, 2025 at 11:57 AM Nico Williams <nico@cryptonector.com> wrote:
> (I'm very down on SCRAM.  I'd much rather have an asymmetric zero-
> knowledge PAKE.)

Hey, get an OPAQUE-PLUS over the line and I bet someone here will take
interest :D

(It's hard for me to be more down on SCRAM than I am on plaintext
LDAP, though. SCRAM's pretty good.)

> I wonder if DANE (DNS-based Authentication of Named Entities [RFC 6698])
> might be a good idea for PG.  IMO DANE is a great idea in general, but
> browser communities do not agree yet (for reasons, often to do with
> performance, which I think by and large do not apply to PG).

Possibly. I did briefly look at RPK a few months back, but that was in
the context of a pinned key (i.e. "SSH into Postgres") rather than
with DANE. I feel like I've seen people talking about DANE a lot more
recently? Maybe there'll be momentum for that at some point.

--Jacob