On Sat, Feb 17, 2018 at 03:52:33PM -0800, Andres Freund wrote:
> I've a hard hard hard time believing this is something useful to do. I
> mean by that argument you can just cause trouble everywhere by just
> storing arbitrarily large stuff via sql.

Did you read my last email until the end?  Particularly this quote:

> Longer salts make it for harder to reproduce connection proofs, so some
> users may want to privilege that than the number of iterations, and
> those are perfectly valid per the SCRAM exchange protocol.

The argument here is not about storing large blobs, it is about the
flexibility that the SCRAM protocol allows that PostgreSQL does not
because of this restriction in row size.  Postgres should have in the
future a set of GUC parameters to allow users to control the interation
number and the salt length when generating the SCRAM verifier depending
on their security requirements.  And I see no point in restraining
things on the backend as we do now.
--
Michael

Attachment: signature.asc
Description: PGP signature

Reply via email to