On Tue, Apr 09, 2002 at 09:07:25AM -0500, firstname.lastname@example.org wrote:
> Kevin Pilch-Bisson <email@example.com> writes:
> > > + Given that SSL without certs earns us a CVS-matching encryption level,
> > > + assigning this a post-1.0 milestone.
> > >
> > This cert handling is required to use SSL properly. We need to be able to
> > verify that the server cert is valid. For example warn about self-signed
> > server certs, etc.
> > Without this cert handling, SSL buys us no security whatsoever (well
> > not much at least).
> So what should the milestone be, 'alpha' (my remarks in the issue were
> based *entirely* on comments already in the issue) ?
Sorry, I should have read the whole issue. I would say that only a small part
of the stuff mentioned in the issue needs to be done for alpha. Namely
caching the server certs or there fingerprints so that we can detect
man-in-the-middle attacks. That's about the only thing we're missing compared
to CVS with an SSH tunnel.
Kevin Pilch-Bisson http://www.pilch-bisson.net
"Historically speaking, the presences of wheels in Unix
has never precluded their reinvention." - Larry Wall
Received on Tue Apr 9 17:09:27 2002
- application/pgp-signature attachment: stored