[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: ssl-trust-default-ca

From: Branko Čibej <brane_at_xbc.nu>
Date: 2005-07-16 01:06:14 CEST

Ben Collins-Sussman wrote:

> In ~/.subversion/servers, there's a variable called 'ssl-trust-
> default-ca' which defaults to "false".
>
> If set to "true", then it tells neon to automatically trust the list
> of "default" Certifying Authorities that normally ships with
> openssl. (Verisign, Thawte, RSA, etc.)
>
> The thing is, the fact that this variable is set to 'false' by
> default is sort of annoying. To trust really, really common CA's,
> the user must go set this runtime variable... otherwise he's stuck
> answering questions about every new certificate that comes along.
> ("Yes, trust this cert, yes, this one too...")
>
> Web browsers don't act like this; they trust openssl's 'big-name'
> list automatically.
>
> I asked David Waite why Subversion doesn't also trust the big-name
> servers by default as well, and he couldn't remember a good reason.
> Does anyone else?

I'll bet the reason was that we should default to "paranoid" where
security issues are concerned. For example, you might not know how your
OpenSSL installation has been tweaked.

-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Jul 16 01:08:25 2005

This is an archived mail posted to the Subversion Dev mailing list.