[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion security design

From: Jonathan S. Shapiro <shap_at_eros-os.org>
Date: 2000-06-26 12:55:42 CEST

> ...we're
> deliberately *not* discussing any particular authentication or
> authorization mechanism.

> Authentication and
> encryption? Those issues are the network layer's business; after
> authenticating (possibly over a secure channel), it simply needs to
> pass the server library a filled-in `svn_user_t' structure.
> Authorization? That's a server-side plugin. Folks can implement any
> ACL system they wish, provided they conform to our interface.

I've been thinking about this assertion, and I've concluded that I disagree.

For link-layer protection, link-layer encryption is fine. SSL is a perfectly
reasonable way to stop people from snooping your connection so long as the
cert is properly installed.

For the authentication and authorization, though, I don't think it's so
simple. True enough, many people will be content with a PAM-style plugin
(speaking of which, are you considering using PAM?).

The problem comes in distribution and replication. If my site mirrors your
site, then it probably ought to mirror your access policies for your
content. This creates a challenge, which is that there is no longer a common
administrative domain for assigning user identities. For this reason, the
notional DCMS mechanism is public key cryptography. I'm not sure if that
will work either, but I'm absolutely certain that nothing based on a
uid-like structure will distribute.

shap
Received on Sat Oct 21 14:36:05 2006

This is an archived mail posted to the Subversion Dev mailing list.