Bruce Momjian wrote:
> KaiGai Kohei wrote:
>> Robert Haas wrote:
>>>> Can you *do* the row-level permission?
>>> I don't think there's any consensus on a design.
>> Yes, unfortunatelly.
>> No one replied to my proposed design:
>> http://marc.info/?l=pgsql-hackers&m=122222470930544&w=2
>
> Yes, we got stuck on the covert channels issue. Frankly I think the use
> of non-natural keys addresses most of the covert channel issues and
> should be recommended for secure setups --- I don't think we are going to
> do any better than that and think we need to move forward on that
> assumption. We can cite
> http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.5950, which
> outlines the security risks.
I talked to someone in the Solaris Trusted Extension group last week.
Their stance is basically that they don't worry about covert channels,
because it is too hard or impossible to get right. Their main criterion
about what to hide is what gives existing applications a consistent view
of the world in spite of the presence of additional access controls, for
example to avoid being forced to return errors to applications that
cannot happen in normal circumstances.