Re: [PATCH] Obfuscate auth info

Quoting Malcolm Rowe (malcolm-svn-dev@farside.org.uk):
[snip stuff about CryptoAPI and OSX keychain]
> Yes, we absolutely do not want to mislead people about what we're doing,
> but that's what the large warning in the auth file is for. Is that not
> good enough?

From what I know of users and their ability to read and make security
decisions: Absolutely not.

Official Windows recovery methods (booting from cd/floppy) prompted the
user for the administrator password, which was stored on the NTFS
filesystem. If you did not enter the correct password, you were not
given access to the recovery console.

Then, when someone created a linux system capable of reading/writing
NTFS without being prompting for the administrator password, thousands
of users and administrators were *shocked*.

When Microsoft started doing threat modelling for XP, service pack 2 and
Vista, it proved to be a bad idea to mitigate a threat by asking the
user what to do.

I am willing to bet large amounts of chocolate that many users and
administrators will consider it "safe", while they might have picked ssh
keys or certs if they understood the password is really stored in plain
text.

I beg of you: Please don't introduce this obfuscation to auth data in
Subversion.

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                http://a.mongers.org 
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org