Re: RFC 9266: Channel Bindings for TLS 1.3 support
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>,
"* Neustradamus *" <neustradamus@hotmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-11-21T22:57:26Z
Lists: pgsql-hackers
On Fri, Nov 21, 2025 at 11:57 AM Nico Williams <nico@cryptonector.com> wrote: > (I'm very down on SCRAM. I'd much rather have an asymmetric zero- > knowledge PAKE.) Hey, get an OPAQUE-PLUS over the line and I bet someone here will take interest :D (It's hard for me to be more down on SCRAM than I am on plaintext LDAP, though. SCRAM's pretty good.) > I wonder if DANE (DNS-based Authentication of Named Entities [RFC 6698]) > might be a good idea for PG. IMO DANE is a great idea in general, but > browser communities do not agree yet (for reasons, often to do with > performance, which I think by and large do not apply to PG). Possibly. I did briefly look at RPK a few months back, but that was in the context of a pinned key (i.e. "SSH into Postgres") rather than with DANE. I feel like I've seen people talking about DANE a lot more recently? Maybe there'll be momentum for that at some point. --Jacob