[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Changeset Signing

From: Martin Furter <mfurter_at_bluewin.ch>
Date: Fri, 12 Jun 2015 09:10:44 +0530

On 06/12/15 07:55, Ruchir Arya wrote:
> Hi Brane, i didnt get you. How can the server admin modify the content
> if contents are signed? Let me give a scenario, suppose we implement
> Public Key Infrastructure in SVN, where each client generates its
> private key and public key and registers this public key with the server
> so that anyone can access the public key to verify the contents.
>
> Suppose algorithm works in this way.
>
> 1. Client computes hash of (contents concatenated with some revision
> properties), then sign this hash with its private key and sends this
> signed hash with the contents and revision properties.
> 2. So, now if server modifies any content, server dont know the private
> key of client, so server cant generate valid signed hashed.
> 3. Hence i agree with, server can put some garbage data. But server wont
> be able to do false accusation on some other clients. (Like in current
> SVN, server can change the name of client in log files, and it can
> accuse some other client for that particular commit.
> 4. But after implement PKI, server cant accuse another client. It just
> can currupt data, which can be determined too at the time of
> verification of signed hash using public key.

On the server you could create a new key and sign the modified revision
with this key. Then the verification won't fail. Keys could be signed to
prevent this.

The next question is: What can you do when you find out that somebody
changed a revision? The data may be lost forever. Except if you have a
copy of the whole repository.

- Martin
Received on 2015-06-12 05:41:21 CEST

This is an archived mail posted to the Subversion Dev mailing list.