Re: pgcrypto: PGP signatures

On 9/12/14, 8:22 PM, Abhijit Menon-Sen wrote:
> (I have't read the patch, or even earlier correspondence in this
> thread, so I apologise for just jumping in.)
>
> At 2014-09-12 12:50:45 -0300, alvherre(at)2ndquadrant(dot)com wrote:
>>
>> +1 for ignoring sigs. If somebody want to check sigs, that's a
>> separate step.
>
> For what it's worth, although it seems logical to split up cryptographic
> primitives like this, I think it's widely recognised these days to have
> contributed to plenty of bad crypto implementations. These seems to be
> general trend of moving towards higher-level interfaces that require
> fewer decisions and can be relied upon do the Right Thing.
>
> I don't like the idea of ignoring signature verification errors any more
> than I would like "if somebody wants to check the HMAC before decypting,
> that's a separate step".
>
> Of course, all that is an aside. If the function ever threw an error on
> signature verification failures, I would strongly object to changing it
> to ignore such errors for exactly the reasons you mention already.

I'm not sure we're talking about the same thing. Currently, we throw an
error if *any* signature was present, valid or otherwise. The "decrypt
only" functions don't have enough information to verify the validity of
the signature, so we must either ignore the signatures or throw an error
in their presence.

The only downside of ignoring signatures here as far as I can tell is a
scenario where you're sending messages to someone, and they accept your
signed messages. You might get the impression that the receiving party
is actually validating the signature, but I guess that's trivial to
test, and relying on such unwritten contracts is a bit suspicious anyway
when it comes to cryptography.

I've changed the patch back to ignore signatures when not using the
decrypt_verify() functions in the attached.

.marko