On Thursday, November 10, 2011, Andrew Dunstan wrote: > > > On 11/08/2011 12:39 PM, Tom Lane wrote: > >> Jeroen Vermeulen<j...@xs4all.nl> writes: >> >>> Another reason why I believe compression is often used with encryption >>> is to maximize information content per byte of data: harder to guess, >>> harder to crack. Would that matter? >>> >> Yes, it would. There's a reason why the OpenSSL default is what it is. >> >> >> > > > An interesting data point on this is that RedHat's nss_compat_ossl package > doesn't support SSL compression at all <http://fedoraproject.org/** > wiki/Nss_compat_ossl <http://fedoraproject.org/wiki/Nss_compat_ossl>>, > and it's supposed to be a path to FIPS 140 compliance: < > http://fedoraproject.org/**wiki/FedoraCryptoConsolidation<http://fedoraproject.org/wiki/FedoraCryptoConsolidation> > **>. The latter URL, incidentally, contains a lot of good information, > and lays out many of the reasons why I'd like to see us support NSS as an > alternative to OpenSSL, notwithstanding the supposed dirtiness of its API. > I imagine this would be of interest to commercial Postgres vendors also.
Interesting points. I hadn't really considered it from the FIPS perspective. I thought the main idea was that if we want to support another one it's probably going to be GnuTLS because that one offers key-file-compatibility with OpenSSL, which NSS doesnät. //Magnus -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
