On Nov 2, 2006, at 12:26 PM, Richard Troy wrote:

Well, there's simply no need. While I can agree that more could be done, I'm not convinced there's a need because what we have now works fine. Let
me support my view by stating first that I perceive that combining the
conception of encrypting a communications channel with user authentication to be a very poor choice. I gather from the paragraph above that this is a
forgone conclusion. Apologies if I'm mistaken.

Understand that I'm talking about *real* security here. There are standard protocols and libraries that support real security: SASL and GSSAPI in particular. You may for various reasons decide that it's "too hard" to do real security. Most people don't, including most people who use SSL. I'm not saying that's *wrong*, just that some possible attack methods have not been prevented.

At the level of detail that's appropriate for this list, all I can do is repeat myself.

Part of establishing a secure connection is establishing that the end points are the intended ones and there is no Man In the Middle. Establishing the end points means the server has identified the user within the name space of the security mechanism. ------------------------------------------------------------------------ ----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.

---------------------------(end of broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at


Reply via email to