Olivier Mascia wrote:
> I've read the thread you refered to. I see. :(
> They seem hard to recognize a plain error when they one under the eyes.
Uh. Please be carefull with your words. If you'll call this an error
when you report it on the subversion dev list, you will just anger the
devs there and it will make it much harder to convince them to change it.
> No matter what counter argument they can find, storing plain-text, with
> or without filesystem security is a design error. I will try to write a
> clear paper about this and how it could be designed for better security
> and then I'll post to adequate subversion list. I'll try to write a
> patched version to demo how it could be done.
If you do, you have to make sure it works on all platforms which
Subversion runs on. They won't accept any changes which are specific to
an OS.
> Let me resume my points here, so that others TortoiseSVN can share ideas
> and point of views before I report to SubVersion and try to make things
> move in the right way.
>
> My points are:
>
> 1) Storing the authentication details is usefull. Especially when the
> client has to connect to multiple hosts with possibly different
> authentication mechanisms and different login/passwords.
Right. That's why Subversion stores the auth data in the first place ;)
> 2) Storing clear-text is stupid. I know I will have to write this with
> other words not to be rude, but that is a stupid security mistake. No
> file system security can solve this, except using an encrypted
> file-system (which will require the user to type a single master
> password from time to time). And that is exactly what I suggest SVN
> should have.
A "master" password isn't good either. I mean, where would you store that?
> 3) Any decent security mechanism *will* require the user to type a
> password (when some authentication is required) for the purpose of
> decrypting the store which contains the real authentication details
> (login / password and the like). That is there is *no* secure way of
> storing auth details without having to ask sometimes for a password
> which can't be saved. But typing a single password sometimes (it can be
> cached for limited time in memory) is *much* easier than having to type
> full auth details each time (if not stored) or storing them in
> clear-text.
If those auth data is ever going to be encrypted, then I suggest using
the built-in mechanisms of the underlying OS. I don't know if Linux has
something like that, but on Windows there's a protected storage where
all data is automatically encrypted and only readable by the logged on
user. See the DPAPI for details.
Hmmm - now that I think about it, there might be a chance that TSVN
could implement its own authentication store. But this will take a lot
of time (if ever possible) since I first have to dig through the
subversion source code...
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Fri Jul 16 19:51:07 2004