[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Issue 650] Changed - certificate handling

From: Kevin Pilch-Bisson <kevin_at_pilch-bisson.net>
Date: 2002-04-09 17:22:23 CEST

On Tue, Apr 09, 2002 at 11:20:57AM -0400, Greg Hudson wrote:
> On Tue, 2002-04-09 at 11:04, Kevin Pilch-Bisson wrote:
> > Sorry, I should have read the whole issue. I would say that only a small part
> > of the stuff mentioned in the issue needs to be done for alpha. Namely
> > caching the server certs or there fingerprints so that we can detect
> > man-in-the-middle attacks.
>
> Eh? This is not ssh. Either a certificate is signed by a chain leading
> to a trusted CA or it's not.

Right. This isn't implemented yet though, and needs to be.
>
> I suppose you could cache self-signed certificates so that you'd know if
> you're getting the same one each time, but certificates do expire, so
> that's not especially valuble.
>
This is what I was thinking of. How quickly do the certs expire? My idea was
to do something like:

"Warning self-signed certificate from host foo with fingerprint bar. Continue
connecting?"

Then cache the result of that, so that the warning only shows up the first
time.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Pilch-Bisson                    http://www.pilch-bisson.net
     "Historically speaking, the presences of wheels in Unix
     has never precluded their reinvention." - Larry Wall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • application/pgp-signature attachment: stored
Received on Tue Apr 9 17:27:12 2002

This is an archived mail posted to the Subversion Dev mailing list.