Security policy - Mailing list pgsql-hackers

From Bear Giles
Subject Security policy
Date
Msg-id 200205221739.LAA20705@eris.coyotesong.com
Whole thread Raw
List pgsql-hackers
It occurs to me that part of the problem with wasted and incomplete
efforts can be fixed with a clear security policy.  The part that
I'm interested in is provided below, in a very truncated form.


Secure Communications Channels
------------------------------

Secure communications channels can be provided with Kerberos, GSS-API,
and SSL, and Unix sockets for local communications.  The goals of the 
secure commuications channel are:

* Confidentiality
 Confidentiality means that the data is kept secret from all third parties.

- Perfect Forward Security (PFS)
 Perfect Forward Security is the logical endpoint of confidentiality. It is a form of confidentiality where the data
remainssecret even if the static private keys used by the server (and client) are exposed.
 

* Message Integrity
 Message integrity means that the message received is identical to the message sent.  It is not possible for third
partiesto add,  delete, or modify data midstream.
 

* Endpoint Authentication
 Endpoint Authentication means that the identity of the other party can be firmly established.

- Mutual Authentication
 Mutual Authentication is endpoint authentication by both parties.

- Strong Authentication
 Strong Authentication means that the party has authenticated themselves with at least two of the following: something
theyknow (e.g., password), something they have (e.g., private key, smart card), or something they are (e.g.,
biometrics).

A mechanism to map channel-level authentication (Kerberos principal
name, SSL distinguished name) to PostgreSQL userids is desirable,
but not required.

Initial support for all new protocols shall always include, at a 
minimum, all features present in the sample client and server provided
with the respective toolkit.  Any omissions must be clearly documented
and justified.

The development team shall maintain a matrix cross-referencing each
protocol and the goals satisfied.  Any omissions from normal practice
for each protocol shall be clearly documented and provided to users.
                       | L-SSL | L-KRB | SSL | GSS-API | SASL | Unix
------------------------+-------+-------+-----+---------+------+------
Confidentiality         |   Y   |   N   |  Y  |    Y    |   Y  |   Y  
PFS                     |   N   |   N   |  Y  |    ?    |   ?  |   Y  
Message Integrity       |   N   |   N   |  Y  |    Y    |   Y  |   Y  
Authentication (server) |  N(1) |  ?(2) |  Y  |    Y    |   Y  |   Y  
Authentication (mutual) |   N   |  ?(2) |  Y  |    Y    |   Y  |   Y  
------------------------+-------+-------+-----+---------+------+------
 L-SSL   legacy SSL L-KRB   legacy Kerberos 4 & 5 SSL     current SSL patches GSS-API GSS-API (Kerberos 5
reimplementation)SASL    SASL with appropriate plug-ins Unix    Unix sockets
 

(1) a server certificate is required, but it is not verified by the
client.

(2) PostgreSQL provides some level of authentication via Kerberos 4 and
Kerberos 5, but it may not have been properly implemented.


As I mentioned in an earlier post on -patches, I'm not sure that the
current Kerberos implementation is what people think it is.  I may
develop a GSS-API patch for evaluation purposes, but it will almost
certainly require a different port.

Bear


pgsql-hackers by date:

Previous
From: Ulrich Drepper
Date:
Subject: Re: Redhat 7.3 time manipulation bug
Next
From: Ulrich Drepper
Date:
Subject: Re: Redhat 7.3 time manipulation bug