[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Cache ssl client certificate passphrases

From: Senthil Kumaran S <senthil_at_collab.net>
Date: Mon, 12 May 2008 11:29:32 +0530

Mark Phippard wrote:
> On Fri, May 9, 2008 at 8:29 PM, Branko ╚ibej <brane_at_xbc.nu> wrote:
>> Mark Phippard wrote:
>>> Why would you object to
>>> moving this into our password storage area, which on Windows and OSX
>>> is very secure?
>> Tut, tut. Read the patch again. It doesn't try to integrate with the
>> Keychain/CryptAPI stores -- likely because they're too specific to the
>> password rather than passphrase workflow.
>
> Thank you! Finally, someone has identified the disconnect here. I
> agree if it is storing plain text passphrase this has a lot less
> value. When I asked Senthil to work on this patch, the whole point
> was to leverage this encryption. So it sounds like we need to go back
> and look at this more. That must have also been the API suggestion
> you made in your initial comment.

Yes this patch does not use the crypto facilities available right now, which I
have mentioned in my original patch email. But the plan is to get the
passphrase into the auth area first, then we can make the providers of this
passphrase to use the wincrypt, keychain, etc., available. But coming up with a
crypto provider as Branko suggested would make life easy when we have some
other auth mechanism in future to store or cache passwords/passphrases.

> Before we do that, it would be good to get acknowledgment from Joe and
> anyone else that was against this patch to see if they would be in
> favor of it if it was using our crypto facilities to store the
> passphrase.

Yes, would like to hear from other developers, before we proceed. As Mark has
said currently we allow to specify the passphrase in plaintext in servers file
(which is bad), to start simple it could be moved to auth area.

Thank You.

-- 
Senthil Kumaran S
http://www.stylesen.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-12 08:00:20 CEST

This is an archived mail posted to the Subversion Dev mailing list.