Re: RFA: Encrypting auth info

On Wed, Feb 16, 2005 at 05:00:27PM +0100, Branko ??ibej wrote:
> Justin Erenkrantz wrote:
>...
> >And, there is the fundamental problem: we have no way of guaranteeing
> >cross-platform strong encryption. If Win32 can do this, then just add
> >a Win32-only provider. Yet, one API that has strong encryption on
> >Win32, but ROT-13 on Unix is incredibly dangerous.
>
> Why? I know I said "encrypt the password", but what I really mean is
> "handle sensitive data",

This seems to be a bit counter to your "don't want a crypto API" comment.

Note that the "secure" place in Unix could be an environment variable. It
could even be like ssh-agent and have an env variable describe how to ask
the agent process for the information.

But as pointed out, the auth framework was designed specifically to enable
these kinds of variances. And I would *much* rather see a custom Windows
auth provider than some sort of pseudo-optional-thingy in the config apis.

And yes, I saw the note that you're going with the custom provider. Cool!

Frankly, I'd rather see Neon grow an understanding of how to send an HTML
challenge/response. Then SVN could simply use Windows' single sign-on,
assuming that Apache was also configured with mod_ntlm or somesuch.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org