Skip site navigation (1) Skip section navigation (2)

Re: function body actors (was: [PERFORM] viewing source code)

From: "Merlin Moncure" <mmoncure(at)gmail(dot)com>
To: "Andrew Sullivan" <ajs(at)crankycanuck(dot)ca>, "Pgsql Hackers" <pgsql-hackers(at)postgresql(dot)org>
Cc: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: function body actors (was: [PERFORM] viewing source code)
Date: 2007-12-21 17:48:51
Message-ID: b42b73150712210948g42498150h976c0b972d632faa@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-performance
On Dec 21, 2007 11:48 AM, Andrew Sullivan <ajs(at)crankycanuck(dot)ca> wrote:
> On Fri, Dec 21, 2007 at 12:40:05AM -0500, Tom Lane wrote:
>
> > whether there is a useful policy for it to implement.  Andrew Sullivan
> > argued upthread that we cannot get anywhere with both keys and encrypted
> > function bodies stored in the same database (I hope that's an adequate
> > summary of his point).
>
> It is.  I'm not a security expert, but I've been spending some time
> listening to some of them lately.  The fundamental problem with a system
> that stores the keys online in the same repository is not just its potential
> for compromise, but its brittle failure mode: once the key is recovered,
> you're hosed.  And there's no outside check of key validity, which means
> attackers have a nicely-contained target to hit.
>
> > I'm not convinced that he's right, but that has to be the first issue we
> > think about.  The whole thing is a dead end if there's no way to do
> > meaningful encryption --- punting an insoluble problem to the user doesn't
> > make it better.
>
> Well, one thing you could do with the proposal is build a PKCS#11 actor,
> that could talk to an HSM.  Not everyone needs HSMs, of course, but they do
> make online key storage much less risky (because correctly designed ones
> make key recovery practically impossible).  So the mechanism can be made
> effectively secure even for very strong cryptographic uses.

ISTM the main issue is how exactly the authenticated user interacts
with the actor to give it the information it needs to get the real
key.  This is significant because we don't want to be boxed into an
actor implementation that doesn't allow that interaction.  If simply
calling out via a function is enough (which, to be perfectly honest, I
don't know), then we can implement the actor system and let actor
implementations spring to life in contrib, pgfoundry, etc. as the
community presents them.

merlin

In response to

Responses

pgsql-performance by date

Next:From: Tom LaneDate: 2007-12-21 18:57:44
Subject: Re: function body actors (was: [PERFORM] viewing source code)
Previous:From: Andrew SullivanDate: 2007-12-21 16:48:26
Subject: Re: function body actors (was: viewing source code)

pgsql-hackers by date

Next:From: Pedro BelminoDate: 2007-12-21 18:09:06
Subject: Postgres.bki
Previous:From: Andrew SullivanDate: 2007-12-21 16:48:26
Subject: Re: function body actors (was: viewing source code)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group