On Thu, May 08, 2008 at 02:06:48PM +0530, Senthil Kumaran S wrote:
> I am attaching a patch along with this email which adds support for caching
> ssl client certificate passphrases in the subverison config auth area (just
> like how we cache our passwords).
>
> Already there is an option (ssl-client-cert-password) to specify the
> passphrase in the servers file (which could be deprecated with this). But
> yet it will be better if we can cache this passphrase instead of specifying
> it in the servers file, which will help us in extending this to use the
> features of wincrypt, keyring, etc in future.
I think this is a bad idea. The only reason to store a client cert in
encrypted form is to prevent anybody who can get a filesystem
dump/backup from using it. If you want to store the passphrase on disk,
it's implicit that you don't care about that threat model - so just
store the client cert on disk in unencrypted form, and you'll never have
to enter a passphrase. (Yes, I think ssl-client-cert-password is a bad
idea too, FWIW)
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-08 15:57:47 CEST