Re: Client certificates.

Pardon me for chiming in here, but I've been working on an SSL sleeve
for CVS for a while at Collab. So, while I'm coming up to speed on
subversion, this seems like a good point for me to jump into the discussion.

Daniel Berlin wrote:

>
> Which certs should be used.
> What CA's to trust is a seperate feature request (IE something else's
> job).
> :)
> We already have a callback, but we just say we trust everything.

If you're talking about supporting certificates and you take
certificates seriously, it is not "something else's job" to trust CA
certs. The problem here is the same as in web browsers -- you don't want
to force users to make a fundamental decision about trust, because they
will very likely get it wrong.

What I think this means in a practical sense is that it ought to be easy
for others (release engineers at companies using X.509 infrastructure,
for example) to rebuild svn installers on each platform with the CA
cert(s) they want to trust.

If there's a place where I can jump in and help with this, let me know.

--mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Aug 1 20:36:30 2002