Participants
Matthew Wetmore
Matthew Wetmore
Alvaro Herrera
Alvaro Herrera
Andrew Dunstan
Andrew Dunstan
Attachments

No attachments in this thread

Thread Outline
#1Matthew WetmoreMatthew Wetmore
Apr 02, 2008
#2Alvaro HerreraAlvaro Herrerato Matthew Wetmore (#1)
Apr 02, 2008
#3Andrew DunstanAndrew Dunstanto Matthew Wetmore (#1)
Apr 02, 2008

US VISA CISP PCI comp. needs SHA1

Started by Matthew Wetmorealmost 18 years ago3 messages
#1Matthew Wetmore
Matthew Wetmore
testroom@secomintl.com

Not sure if I posted in correct spot....

pg_8.2.6
Centos5
Windows based app.
encryped pwd = yes
SSL = yes,
hostssl with explicit IP w/md5. (no pg_crypto)

We are in process of VISA CISP PCI compliance for our application.
(online cc auth - no stored cc data) [next phase will include stored cc
data]

We just heard back today that they would like to use SHA1 for pwd auth.

does anyone have any doco that will support md5 vs. SHA1?

We also have global customers so we understand the us v non-US export stuff.

Any direction is appreciated.

Thanks in advance.

/matthew wetmore

--

Matthew Wetmore
Secom International, Inc
9610 Bellanca, Ave.
Los Angeles, CA 90045
310-641-1290

This e-mail is intended for the addressee shown. It contains information
that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or
unauthorized employees of the intended organisations is strictly
prohibited.
The contents of this email do not necessarily represent the views or
policies of Secom International Inc., or its employees.

#2Alvaro Herrera
Alvaro Herrera
alvherre@commandprompt.com
In reply to: Matthew Wetmore (#1)
Re: US VISA CISP PCI comp. needs SHA1

Matthew Wetmore wrote:

We just heard back today that they would like to use SHA1 for pwd auth.

Why would anyone want to do something so pointless?

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

#3Andrew Dunstan
Andrew Dunstan
andrew@dunslane.net
In reply to: Matthew Wetmore (#1)
Re: US VISA CISP PCI comp. needs SHA1

Matthew Wetmore wrote:

Not sure if I posted in correct spot....

pg_8.2.6
Centos5
Windows based app.
encryped pwd = yes
SSL = yes,
hostssl with explicit IP w/md5. (no pg_crypto)

We are in process of VISA CISP PCI compliance for our application.
(online cc auth - no stored cc data) [next phase will include stored cc
data]

We just heard back today that they would like to use SHA1 for pwd auth.

does anyone have any doco that will support md5 vs. SHA1?

We also have global customers so we understand the us v non-US export stuff.

Any direction is appreciated.

You could use pg_crypto plus application level passwords.

As has been pointed out elsewhere, there is no security virtue in
swapping MD5 password hashing in Postgres for SHA1.

cheers

andrew

← Back to Topics