Re: [HACKERS] SCRAM protocol documentation

2017-09-13 Thread Peter Eisentraut
On 8/11/17 09:27, Peter Eisentraut wrote: > On 8/11/17 09:06, Álvaro Hernández Tortosa wrote: >> Strictly speaking the RFC assumes that the username is at least 1 >> character. I understand this was precisely Peter's original comment. > > Well, my main point was that the documentation, the

Re: [HACKERS] SCRAM protocol documentation

2017-08-11 Thread Peter Eisentraut
On 8/11/17 09:06, Álvaro Hernández Tortosa wrote: > Strictly speaking the RFC assumes that the username is at least 1 > character. I understand this was precisely Peter's original comment. Well, my main point was that the documentation, the code, and the code comments all say slightly

Re: [HACKERS] SCRAM protocol documentation

2017-08-11 Thread Peter Eisentraut
On 8/11/17 07:18, Michael Paquier wrote: > The problem is where a username includes characters as a comma or '=', > which can be avoided if the string is in UTF-8 as the username is > prepared with SASLprep before being used in the SASL exchange, but we > have no way now to be sure now that the

Re: [HACKERS] SCRAM protocol documentation

2017-08-11 Thread Álvaro Hernández Tortosa
On 11/08/17 15:00, Michael Paquier wrote: On Fri, Aug 11, 2017 at 9:31 PM, Álvaro Hernández Tortosa wrote: On 11/08/17 13:18, Michael Paquier wrote: On Fri, Aug 11, 2017 at 3:50 PM, Álvaro Hernández Tortosa wrote: Relatedly, the SCRAM specification

Re: [HACKERS] SCRAM protocol documentation

2017-08-11 Thread Michael Paquier
On Fri, Aug 11, 2017 at 9:31 PM, Álvaro Hernández Tortosa wrote: > On 11/08/17 13:18, Michael Paquier wrote: >> On Fri, Aug 11, 2017 at 3:50 PM, Álvaro Hernández Tortosa >> wrote: Relatedly, the SCRAM specification doesn't appear to allow omitting the

Re: [HACKERS] SCRAM protocol documentation

2017-08-11 Thread Álvaro Hernández Tortosa
On 11/08/17 13:18, Michael Paquier wrote: On Fri, Aug 11, 2017 at 3:50 PM, Álvaro Hernández Tortosa wrote: On 11/08/17 03:57, Peter Eisentraut wrote: The SCRAM protocol documentation (https://www.postgresql.org/docs/devel/static/sasl-authentication.html) states "To avoid

Re: [HACKERS] SCRAM protocol documentation

2017-08-11 Thread Michael Paquier
On Fri, Aug 11, 2017 at 3:50 PM, Álvaro Hernández Tortosa wrote: > On 11/08/17 03:57, Peter Eisentraut wrote: >> The SCRAM protocol documentation >> (https://www.postgresql.org/docs/devel/static/sasl-authentication.html) >> states >> >> "To avoid confusion, the client should use

Re: [HACKERS] SCRAM protocol documentation

2017-08-11 Thread Álvaro Hernández Tortosa
On 11/08/17 03:57, Peter Eisentraut wrote: The SCRAM protocol documentation (https://www.postgresql.org/docs/devel/static/sasl-authentication.html) states "To avoid confusion, the client should use pg_same_as_startup_message as the username in the client-first-message." However, the client