[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Plans to add signing ?

From: Tom Lord <lord_at_emf.net>
Date: 2003-12-11 19:29:08 CET

> From: solo turn <soloturn99@yahoo.com>

> i always assumed adding "signing" is basically a non-issue as
> subversions design allows to just add it with little effort?

    [...]

> if i'm not wrong this allows:
> - signing of single files
> - therefor mixed revision working copies
> - prevents serverside tampering
> - verifying the signature at any time,
> given that you somehow are able to
> access the (committers) public key.

Do I understand correctly that you are suggesting just attributing
every revision of every file with a signature?

Logically, that works just fine. Pragmatically, I think it creates a
difficulty or two.

The topic has come up lately because various project hosts have been
cracked and that raises the question of the integrity of the source
bases that they host.

I think that in the long run the fix people are moving towards will
involve:

        a) making sure (to the limits of key mgt.) that all new
           entries to the source base come from authorized
           contributors

        b) making sure that no old entries have been modified
           (even by an authorized contributor).

with both (a) and (b) happening both on an ongoing basis in the
background, and on an expedited basis after a known compromise.

That's fine and signing individual files can accompilsh that in
theory. But in practice -- that's an aweful lot of files and an
aweful lot of data to keep off-line.

To validate the project host after a known compromise, for example,
one would have to read every revision of every file of every project
-- verifying both that the signature of that revision has not changed
and that the file contents still match the signature. At the very
least, it's going to take a lot of work to optimize such a process.

It doesn't work just to let clients do all the verification on
check-out: that would mean distributing to clients _both_ all of the
necessary public keys _and_ a trusted historic record of what the
particular signature is supposed to be.

-t

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Dec 11 19:08:50 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.