SCRAM+ Channel Binding

[sfc-gh-jkew]

Is your feature request related to a problem? Please describe.
Currently I am looking at whether it is possible to add scram+ channel binding to PGX. There is another proposed implementation for this in the pg library ( lib/pq#1181 ) so I will be looking at that for some guidance alongside other resources.

I'll take a stab at this myself but any guidance is welcome. I'll have some specific security folks at my company help review this as well since scram+ is a little hard to understand.

Describe the solution you'd like
Implementation of SCRAM-SHA-256-PLUS where the password is used to salt the TLS channel.

Describe alternatives you've considered
Certainly we have considered MTLS and other solutions. We could try the pg library or we could also use a libpq wrapper. In general though we want to see whether we can get PGX to support this.

Additional context
RFC 5802: https://datatracker.ietf.org/doc/html/rfc5802
Steve Kerrison's blog is useful in understanding this approach in general:
https://csb.stevekerrison.com/post/2022-05-scram-detail/

[jackc]

I'll take a stab at this myself but any guidance is welcome. I'll have some specific security folks at my company help review this as well since scram+ is a little hard to understand.

That'd be great. It's a bit more than I'm comfortable taking on myself right now.