From cb44eced673efee087d6b709f63718533559da6a Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Thu, 21 Dec 2017 18:16:46 +0100
Subject: [PATCH] Manual: warning about incremental signature verification

Just so users don't mistakenly trust messages before the verification is
finished.

Related to #58
---
 .../man3/crypto_sign_init_first_pass.3monocypher    | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/doc/man/man3/crypto_sign_init_first_pass.3monocypher b/doc/man/man3/crypto_sign_init_first_pass.3monocypher
index 640054f..6c62cd7 100644
--- a/doc/man/man3/crypto_sign_init_first_pass.3monocypher
+++ b/doc/man/man3/crypto_sign_init_first_pass.3monocypher
@@ -164,8 +164,17 @@ These functions implement EdDSA with Curve25519 and Blake2b.
 This is the same as Ed25519, with Blake2b instead of SHA-512.
 Ed25519 is described in RFC 7748.
 .Sh SECURITY CONSIDERATIONS
-The same as documented on
-.Xr crypto_sign 3monocypher .
+In addition to those documented on
+.Xr crypto_sign 3monocypher ,
+incremental signature verification encourages the user to start
+processing the message before verification is done.
+Messages may be stored before they are verified, but they cannot be
+.Em trusted .
+Processing untrusted messages increases the attack surface of the
+system.
+Doing so securely is hard.
+Do not process messages before calling
+.Fn crypto_check_final .
 .Sh IMPLEMENTATION DETAILS
 EdDSA signatures require two passes that cannot be performed in
 parallel.
-- 
2.47.3