[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: the report from PyCon

From: <kfogel_at_collab.net>
Date: 2006-03-02 18:26:44 CET

Greg Hudson <ghudson@MIT.EDU> writes:
> On Mon, 2006-02-27 at 19:37 -0600, Ben Collins-Sussman wrote:
> > * He heavily
> > recommends we take a look at it, that it's much better than
> > svnserve's CRAM-MD5.
>
> The cram-md5 code is there because it's (1) implementable in a very
> small amount of code, and (2) a defined SASL mechanism. I have no
> illusions that it has good authentication properties, except that an
> attacker listening to the network would have a very difficult time
> recovering the password.
>
> I don't want to see us adding more original authentication code to
> svnserve, particularly if it's not a defined SASL mechanism. Instead, I
> want someone to write code to link ra_svn and svnserve against a SASL
> library which will do all this work for us. We know there are some
> issues there, and it's not an easy bit of glue to write, but more
> homegrown crypto does not seem like the answer.

Agreed.

(Also think CRAM-MD5 is not so bad, because it's simple to understand
and its end-point weaknesses are easy to explain.)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Mar 2 20:13:05 2006

This is an archived mail posted to the Subversion Dev mailing list.