[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn-auth + md5 + PKI / GPG

From: Zack Weinberg <zack_at_codesourcery.com>
Date: 2003-01-15 04:44:17 CET

Jani Averbach <jaa@cc.jyu.fi> writes:

> How about if we have PKI-signed commit feature in svn?
>
> It would work some way like that:
>
> We have a group developers who have their PKI-keys (pub,sec), and every
> commits are signed with these keys. Now read-only user (like me, sorry),
> will need pub-keys of those developers. I think that is not big issue, for
> examble I already has few of yours key (from apache project and so on).
>
> With this arrangement authenticity of repository will be known at any
> given moment. And every checkout will be checked against those keys. (This
> is of course optional.)

This is an interesting idea; I would encourage you to read the OpenCM
papers, downloadable from http://www.opencm.org/docs.html, which
discuss at some length a version-control system built around
cryptographic names for everything.

I wanted to make the somewhat weaker point that a version-control
system can be security-critical infrastructure, which I suspect
everyone involved in this discussion does know, but it hasn't been
stated explicitly so far.

zw

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jan 15 04:45:06 2003

This is an archived mail posted to the Subversion Dev mailing list.