Marko Tiikkaja wrote: > On 9/8/14 7:30 PM, Jeff Janes wrote:
> >If i understand the sequence here: The current git HEAD is that > >pgp_pub_decrypt would throw an error if given a signed and encrypted > >message, and earlier version of your patch changed that to decrypt the > >message and ignore the signature, and the current version went back to > >throwing an error. > > > >I think I prefer the middle of those behaviors. The original behavior > >seems like a bug to me, and I don't think we need to be backwards > >compatible with bugs. Why should a function called "decrypt" care if the > >message is also signed? That is not its job. > > I haven't updated the patch yet because I don't want to waste my > time going back and forth until we have a consensus, but I think I > prefer Jeff's suggestion here to make the _decrypt() functions > ignore signatures. Does anyone else want to voice their opinion? +1 for ignoring sigs. If somebody want to check sigs, that's a separate step. Maybe we could have an optional boolean flag, default false, to enable checking sigs, but that seems material for a future patch. That said, I do wonder if it's a behavior change with security implications: if somebody is relying on the current behavior of throwing an error when sigs don't match, they wouldn't be thrilled to hear that their security checks now fail to detect a problem because we don't verify signatures when decrypting. In other words, is this established practice already? If not, it's okay; otherwise, hmm. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
