Postgres Pro
Downloads
Home   >   mailing lists

Thread: US VISA CISP PCI comp. needs SHA1

US VISA CISP PCI comp. needs SHA1

From
Matthew Wetmore
Date:
Not sure if I posted in correct spot....


pg_8.2.6
Centos5
Windows based app.
encryped pwd = yes
SSL = yes,
hostssl with explicit IP w/md5. (no pg_crypto)



We are in process of VISA CISP PCI compliance for our application.
(online cc auth - no stored cc data) [next phase will include stored cc
data]

We just heard back today that they would like to use SHA1 for pwd auth.

does anyone have any doco that will support md5 vs. SHA1?

We also have global customers so we understand the us v non-US export stuff.

Any direction is appreciated.

Thanks in advance.

/matthew wetmore

-- 

Matthew Wetmore
Secom International, Inc
9610 Bellanca, Ave.
Los Angeles, CA 90045
310-641-1290


This e-mail is intended for the addressee shown. It contains information
that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or
unauthorized employees of the intended organisations is strictly
prohibited.
The contents of this email do not necessarily represent the views or
policies of Secom International Inc., or its employees.

Re: US VISA CISP PCI comp. needs SHA1

From
Alvaro Herrera
Date:
Matthew Wetmore wrote:

> We just heard back today that they would like to use SHA1 for pwd auth.

Why would anyone want to do something so pointless?

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

Re: US VISA CISP PCI comp. needs SHA1

From
Andrew Dunstan
Date:

Matthew Wetmore wrote:
> Not sure if I posted in correct spot....
>
>
> pg_8.2.6
> Centos5
> Windows based app.
> encryped pwd = yes
> SSL = yes,
> hostssl with explicit IP w/md5. (no pg_crypto)
>
>
>
> We are in process of VISA CISP PCI compliance for our application.
> (online cc auth - no stored cc data) [next phase will include stored cc
> data]
>
> We just heard back today that they would like to use SHA1 for pwd auth.
>
> does anyone have any doco that will support md5 vs. SHA1?
>
> We also have global customers so we understand the us v non-US export stuff.
>
> Any direction is appreciated.
>
>
>   

You could use pg_crypto plus application level passwords.

As has been pointed out elsewhere, there is no security virtue in 
swapping MD5 password hashing in Postgres for SHA1.

cheers

andrew