Nico Kadel-Garcia wrote:
> On Sun, Sep 6, 2009 at 12:19 PM, Les Mikesell <lesmikesell_at_gmail.com> wrote:
>> Nico Kadel-Garcia wrote:
>>>> * Have you ever tried to teach a newbie (possibly quite talented, but
>>> nevertheless a newbie) to configure customized Kerberos setups? I
>>> have. It wasn't pretty.
>> Are there similar issues using https and a client certificate requirement?
>
> The last time I tried that sort of thing, there was effort, but it
> wasn't as bad. Organizing the server side to manage the sertificates
> and synchronize access for each client to the same repository but with
> a different key was...... fascinating. I basically wrote a little
> script to survey the key list and genarate alias configurations for
> each user with a different URL to the same material. Workable, but it
> wouldn't necessarily scale well.
Can't you configure apache to trust a certificate authority, not individual
certificates, and then use something like tinyca to generate (and revoke if
necessary) the certificates? You still need passwords, but they are
ssl-encrypted on the wire and you can't get in without both the password and
certificate.
--
Les Mikesell
lesmikesell_at_gmail.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2391992
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-09-07 18:03:00 CEST