[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svn-auth + md5 + PKI / GPG

From: Jani Averbach <jaa_at_cc.jyu.fi>
Date: 2003-01-15 03:17:10 CET

On Tue, 14 Jan 2003 rbb@rkbloom.net wrote:

Point #1)

> On Tue, 14 Jan 2003, Sander Striker wrote:
>
> > You're missing the point. Use svn-agent for all auth info, regardless
> > whether you are doing basic auth or you need a pass for your cert.
>
> Ahhhhh..... The light shines. Yes, you are right, I did miss the point.
>
...
> Okay, you two convinced me 110%. I will create an ssh-agent-like
> application for svn.

Point #2)

On Tue, 14 Jan 2003, Zack Weinberg wrote:

> That depends on the situation. If someone steals my login password
> they can read my email, which is mostly publicly archived mailing
> lists so big deal, and they can delete my files, which would only be
> an inconvenience; I have backups. If someone steals my SSH passphrase
> they could trash sources.redhat.com, which is also backed up but would
> inconvenience hundreds of people all over the world instead of just
> me; or they could inject malicious code into one of the repositories
> there, which would be a major catastrophe.
>
> No prize for guessing which of these is more closely held.
>

I have wondering some thing since Karl start his md5 (#689) work for
subversion.

How about if we have PKI-signed commit feature in svn?

It would work some way like that:

We have a group developers who have their PKI-keys (pub,sec), and every
commits are signed with these keys. Now read-only user (like me, sorry),
will need pub-keys of those developers. I think that is not big issue, for
examble I already has few of yours key (from apache project and so on).

With this arrangement authenticity of repository will be known at any
given moment. And every checkout will be checked against those keys. (This
is of course optional.)

I know that this don't bring any real extra security vs. good handling of
repo's password + SSL / SSH + commit reviews, but this is additional
layer, and will protect in case that first one will break. And I could
have authentic wc even when I don't use ssl / ssh. Also this will remove
load from server to client.

Before point 1) I thought that this is not practical, but now if we will
have svn-agent and repo's md5 sums, I think that this could work.

Secondly, for Point 2), if your keys are in smart card, and your sc reader
will be with keypad, then this is more secure than just plain SSH. It will
be much more harder circumvent, even in case of compromise root. (There
are attacks against that system, but they are 'one time window' and
attacker don't gain access to your PKI-keys.)

I don't know how valuable this kind system is in reality. But I have
feeling that this would be really nice to have in some cases.

Just thoughs, but what do you think?

BR, Jani

--
Jani Averbach
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jan 15 03:18:15 2003

This is an archived mail posted to the Subversion Dev mailing list.