Am 25.06.2025 um 01:20 schrieb Greg Sabino Mullane:
On Mon, Jun 23, 2025 at 2:45 PM raphi <ra...@crashdump.ch> wrote:

    As of now though we cannot use PG for any PCI/DSS certified
    application
    because we can't enforce either complexity nor regular password
    changes,


You can, and many, many companies do, but you need a modern auth system like Kerberos. Even if we were to put something into Postgres today (and given the MFA and re-use requirements, it's near impossible), PCI DSS keeps evolving and getting stricter, so keeping up with it would get harder with each release.

    Can I do something to help bringing these feature into PG? My C
    knowledge is very limited so I won't be able to provide a patch
    but I'd be more than happy to test it.


Your energy would be much better used in bringing Kerberos into your organization. :)

Well as said, we have LDAP and IAM widely in use for everything except database access. It's the IAM part that's making it difficult for us to implement it for PG application/user roles, this wouldn't change by using Kerberos instead of LDAP. I thought we'll get the exception from our security to use IAM roles instead of physical persons defined as the owner of the PG accounts but now they are against it. Main reason is because they are looking into a completely different solution with Vault, which would fix some other issues and make it more robust towards PCI, and they prefer a solution for everything rather than making another exception. But we are speaking about years here, 2027 earliest and they haven't even talked to us yet how this would work with PG, only other DB products.

have fun,
raphi


Reply via email to