On Thu, Dec 20, 2007 at 05:04:33PM -0500, Merlin Moncure wrote:
> right, right, thanks for the lecture. I am aware of various issues
> with key management.
Sorry to come off that way. It wasn't my intention to lecture, but rather
to try to stop dead a cure that, in my opinion, is rather worse than the
disease.
> I said 'simple' not 'good'.
I think this is where we disagree. It's simple only because it's no
security at all. It's not that it's "not good for some purposes". I'm
arguing that it's the sort of approach that shouldn't be used ever, period.
We have learned, over and over again, that simple answers that might have
been good enough for a very narrow purpose inevitably get used for a
slightly wider case than that for which they're appropriate. Anything that
involves storing the keys in the same repository as the encrypted data is
just begging to be misused that way.
> I am not making a proposal here and you don't have to denigrate my
> broad suggestion on a technical detail which is quite distracting from
> the real issue at hand, btw.
This isn't a technical detail that I'm talking about: it's a very serious
mistake in the entire approach to which you alluded, and goes to the heart
of why I think any talk of somehow encrypting or otherwise obfuscating the
contents of pg_proc are a bad idea. Column controls based on user roles are
another matter, because they'd be part of the access control system in the
DBMS.
Best,
A