[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Feature Request: Changeset Signing

From: Phillip Susi <psusi_at_cfl.rr.com>
Date: 2005-08-29 17:31:52 CEST

Nice writeup. I'd like to add a few comments though.

> If changeset signing is enabled, the client sends a signed hash of the
> changes to the server as part of the commit. This signature is stored
> in a new revprop, svn:signature.
>
> Implementation:
>
> Modify the commit editor to calculate a hash of the committables
> during generation of the commit report. The input data for the hash
> could be an incremental dump of the pending commit (without revision
> and date info), generated on the fly.
>
> As the last act of the commit, the client would add a digital
> signature of this hash as the svn:signature revprop.

This is pretty much as I envisioned it, except that in addition, there
should be a svn:certificate property to store the user's certificate
that is used to generate the signature.

> - The server needs a list of commit author certificates. Ideally
> this list would be the same as the one used for client
> authentication, although cert-based authentication shouldn't be
> required for changeset signing to work.

The server does not keep a list of commit author certificates. One of
the advantages of using digital certificates is that the server does not
have to know you before you can authenticate with it. It only has to
know the trusted third party certificate authority which signed your
certificate.

> - The server must maintain a list of expired and revoked client
> certificates. While these are no longer valid for new commits,
> they may be needed for verifying signatures on historical
> revisions.

This would be done with the svn:certificate revprop stored in each commit.

> The client verifies the changeset signature during update.

I'm not sure that you'd want the client to verify changesets on each
update. I see the signing process as something that you would verify
during an audit, not on a daily basis. As such a new command could
probably be added for this purpose, probably to svnadmin.

kfogel@collab.net wrote:
>>
>>Ah! The changeset-signing design exsists in several developers' heads. :)
>>
>>Well, I wrote up what I can remember of our discussions about this; see
>>
>> http://svn.collab.net/repos/svn/trunk/notes/changeset-signing.txt
>
>
> Heh. Now I'm embarrassed for my earlier mail. Branko, it might help
> to know that I set my mailreader to do duplicate message folding, so I
> didn't see the above when reading users@, where I was responding from
> when I wrote:
>
>
>>I don't know what plans Branko was referring to (in the mail from him,
>>quoted below). He may have been following some threads that I wasn't,
>>or something. Branko?
>
>
> Thanks for [having done] the writeup.
>
> -K
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Aug 29 17:35:29 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.