[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials Caching - Security Guy Not Happy

From: Stefan <steveking_at_tigris.org>
Date: 2004-08-26 17:45:29 CEST

kfogel@collab.net wrote:
> Paul Ossenbruggen <paul.ossenbruggen@convoii.net> writes:
>
>>Request:
>>That in a new version, in the not too distant future, that the auth
>>directory is encrypted by svn. I mean, it really cool that, we have
>>all these SSL capabilities in svn and this would be the last chink in
>>the armor.
>
>
> Encrypt it according to what key? A key that the user would then have
> to type in in order to decrypt the data? How inconvenient... Let's
> cache the key...
>
> You see where this leads.

You could try what TortoiseSVN does in the 1.1.0 RC1 release. I know,
it's Windows only (and only for Win2k and later) and I also know that
Subversion devs don't like #ifdefs in their code, but it's a good
solution that's secure enough for most people:

We use the Windows crypto API for encrypting the auth data. Windows then
uses the user logon username/password for the encryption. So the
encrypt/decrypt keys are handled by windows itself, and are as secure as
Windows is.

http://svn.collab.net/repos/tortoisesvn/trunk/src/SVN/auth_providers.h
http://svn.collab.net/repos/tortoisesvn/trunk/src/SVN/auth_providers.cpp

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 26 17:47:38 2004

This is an archived mail posted to the Subversion Users mailing list.