[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: client ssl certificate authentication

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2003-02-10 20:04:09 CET

Just FYI, David,

I'll bet that Ben Collins-Sussman, Greg Stein, and possibly Mike
Pilato will want to read over this proposal, but they've been out at a
retreat on the West Coast all weekend :-). They should be back online
on Tuesday, though of course they'll have a lot of accumulated email
to wade through at that time. So give them a couple of days, if you
can wait.

The overall plan looks good to me. Regarding this paragraph:

> Does this seem alright with people? Does it seem correct to have
> ~/.subversion/servers point to the location of the needed key files?
> Where (and should) the passphrase be stored?

Are these key files shared by other applications, or are they specific
to Subversion, or does that depend on the circumstances? When
specific to Subversion, then ~/.subversion/auth/ seems like the way to
go (can we do an equivalent in the Windows Registry, or does Windows
have another way of dealing with keys?).

-Karl

David Waite <mass@akuma.org> writes:
> So its about time to start on the client SSL certificate
> authentication. Before I start writing authentication providers, I
> wanted to make sure I ran my proposal by the group:
>
> The SSL client certificate support provided by Neon consists of two
> functions and two separate registered callbacks.
>
> The first registered callback allows you to get called when ssl client
> authentication has been requested from the server. I figure this would
> be the start of the authentication phase.
>
> Once you receive this callback, you can call one of two methods; one
> loads either a single .pem file or a set of .pem files, depending on
> whether the public and private keys are separate. A separate method
> allows you to load a single pkcs12 file.
>
> The second registered callback will request the passphrase of the
> private key (only if needed - the private key may not be encrypted
> locally)
>
> So to get to the point - the multiple files and formats situation
> seems too complex to expose via a prompting interface - I am thinking
> that the authentication provider for this information needs to just
> read the key-loading instructions from a configuration file. The
> passphrase will use two authentication mechanisms for 'svn:password';
> a storage mechanism and a prompting mechanism.
>
> Does this seem alright with people? Does it seem correct to have
> ~/.subversion/servers point to the location of the needed key files?
> Where (and should) the passphrase be stored?
>
> -David Waite

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Feb 10 20:35:38 2003

This is an archived mail posted to the Subversion Dev mailing list.