Re: [PATCH v18] GSSAPI encryption support
Robbie Harwood <rharwood@redhat.com>
From: Robbie Harwood <rharwood@redhat.com>
To: Stephen Frost <sfrost@snowman.net>, Heikki Linnakangas <hlinnaka@iki.fi>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>,
Nico Williams <nico@cryptonector.com>
Date: 2018-08-06T21:23:28Z
Lists: pgsql-hackers
Stephen Frost <sfrost@snowman.net> writes: > * Heikki Linnakangas (hlinnaka@iki.fi) wrote: > >> What is the point of this patch? What's the advantage of GSSAPI >> encryption over SSL? I was hoping to find the answer by reading the >> documentation changes, but all I can see is "how" to set it up, and >> nothing about "why". > > If you've already got an existing Kerberos environment, then it's a > lot nicer to leverage that rather than having to also implement a full > PKI to support and use SSL-based encryption. > > There's also something to be said for having alternatives to OpenSSL. This exactly. If you're in a position where you're using Kerberos (or most other things from the GSSAPI) for authentication, the encryption comes at little to no additional setup cost. And then you get all the security benefits outlined in the docs changes. Thanks, --Robbie
Commits
-
GSSAPI encryption support
- b0b39f72b990 12.0 landed
-
Fix typo
- 57c932475504 9.6.0 cited