You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Branko Čibej <br...@xbc.nu> on 2005/08/28 13:05:16 UTC

Re: Feature Request: Changeset Signing

[Cc'inf dev@ with the design proposal]

Stefano Spinucci wrote:

>I searched through todo, open issues, notes etc, but I didn't find any
>document about signing commit.
>
>I'd like to read some development notes, if available, to see what
>choice are already made and what not (ie if you are going to use
>OpenPGP, or whatever else).
>  
>
Ah! The changeset-signing design exsists in several developers' heads. :)

Well, I wrote up what I can remember of our discussions about this; see

    http://svn.collab.net/repos/svn/trunk/notes/changeset-signing.txt


-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Feature Request: Changeset Signing

Posted by Phillip Susi <ps...@cfl.rr.com>.

Nice writeup.  I'd like to add a few comments though.

> If changeset signing is enabled, the client sends a signed hash of the
> changes to the server as part of the commit. This signature is stored
> in a new revprop, svn:signature.
> 
> Implementation:
> 
> Modify the commit editor to calculate a hash of the committables
> during generation of the commit report. The input data for the hash
> could be an incremental dump of the pending commit (without revision
> and date info), generated on the fly.
> 
> As the last act of the commit, the client would add a digital
> signature of this hash as the svn:signature revprop.

This is pretty much as I envisioned it, except that in addition, there 
should be a svn:certificate property to store the user's certificate 
that is used to generate the signature.

>   - The server needs a list of commit author certificates. Ideally
>     this list would be the same as the one used for client
>     authentication, although cert-based authentication shouldn't be
>     required for changeset signing to work.

The server does not keep a list of commit author certificates.  One of 
the advantages of using digital certificates is that the server does not 
have to know you before you can authenticate with it.  It only has to 
know the trusted third party certificate authority which signed your 
certificate.


>   - The server must maintain a list of expired and revoked client
>     certificates. While these are no longer valid for new commits,
>     they may be needed for verifying signatures on historical
>     revisions.

This would be done with the svn:certificate revprop stored in each commit.

> The client verifies the changeset signature during update.

I'm not sure that you'd want the client to verify changesets on each 
update. I see the signing process as something that you would verify 
during an audit, not on a daily basis.  As such a new command could 
probably be added for this purpose, probably to svnadmin.

kfogel@collab.net wrote:
>>
>>Ah! The changeset-signing design exsists in several developers' heads. :)
>>
>>Well, I wrote up what I can remember of our discussions about this; see
>>
>>    http://svn.collab.net/repos/svn/trunk/notes/changeset-signing.txt
> 
> 
> Heh.  Now I'm embarrassed for my earlier mail. Branko, it might help
> to know that I set my mailreader to do duplicate message folding, so I
> didn't see the above when reading users@, where I was responding from
> when I wrote:
> 
> 
>>I don't know what plans Branko was referring to (in the mail from him,
>>quoted below).  He may have been following some threads that I wasn't,
>>or something.  Branko?
> 
> 
> Thanks for [having done] the writeup.
> 
> -K
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Feature Request: Changeset Signing

Posted by Phillip Susi <ps...@cfl.rr.com>.

Nice writeup.  I'd like to add a few comments though.

> If changeset signing is enabled, the client sends a signed hash of the
> changes to the server as part of the commit. This signature is stored
> in a new revprop, svn:signature.
> 
> Implementation:
> 
> Modify the commit editor to calculate a hash of the committables
> during generation of the commit report. The input data for the hash
> could be an incremental dump of the pending commit (without revision
> and date info), generated on the fly.
> 
> As the last act of the commit, the client would add a digital
> signature of this hash as the svn:signature revprop.

This is pretty much as I envisioned it, except that in addition, there 
should be a svn:certificate property to store the user's certificate 
that is used to generate the signature.

>   - The server needs a list of commit author certificates. Ideally
>     this list would be the same as the one used for client
>     authentication, although cert-based authentication shouldn't be
>     required for changeset signing to work.

The server does not keep a list of commit author certificates.  One of 
the advantages of using digital certificates is that the server does not 
have to know you before you can authenticate with it.  It only has to 
know the trusted third party certificate authority which signed your 
certificate.


>   - The server must maintain a list of expired and revoked client
>     certificates. While these are no longer valid for new commits,
>     they may be needed for verifying signatures on historical
>     revisions.

This would be done with the svn:certificate revprop stored in each commit.

> The client verifies the changeset signature during update.

I'm not sure that you'd want the client to verify changesets on each 
update. I see the signing process as something that you would verify 
during an audit, not on a daily basis.  As such a new command could 
probably be added for this purpose, probably to svnadmin.

kfogel@collab.net wrote:
>>
>>Ah! The changeset-signing design exsists in several developers' heads. :)
>>
>>Well, I wrote up what I can remember of our discussions about this; see
>>
>>    http://svn.collab.net/repos/svn/trunk/notes/changeset-signing.txt
> 
> 
> Heh.  Now I'm embarrassed for my earlier mail. Branko, it might help
> to know that I set my mailreader to do duplicate message folding, so I
> didn't see the above when reading users@, where I was responding from
> when I wrote:
> 
> 
>>I don't know what plans Branko was referring to (in the mail from him,
>>quoted below).  He may have been following some threads that I wasn't,
>>or something.  Branko?
> 
> 
> Thanks for [having done] the writeup.
> 
> -K
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Feature Request: Changeset Signing

Posted by kf...@collab.net.

Branko Čibej <br...@xbc.nu> writes:
> [Cc'inf dev@ with the design proposal]
> Stefano Spinucci wrote:
> 
> >I searched through todo, open issues, notes etc, but I didn't find any
> >document about signing commit.
> >
> >I'd like to read some development notes, if available, to see what
> >choice are already made and what not (ie if you are going to use
> >OpenPGP, or whatever else).
> >
> Ah! The changeset-signing design exsists in several developers' heads. :)
> 
> Well, I wrote up what I can remember of our discussions about this; see
> 
>     http://svn.collab.net/repos/svn/trunk/notes/changeset-signing.txt

Heh.  Now I'm embarrassed for my earlier mail. Branko, it might help
to know that I set my mailreader to do duplicate message folding, so I
didn't see the above when reading users@, where I was responding from
when I wrote:

> I don't know what plans Branko was referring to (in the mail from him,
> quoted below).  He may have been following some threads that I wasn't,
> or something.  Branko?

Thanks for [having done] the writeup.

-K

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Feature Request: Changeset Signing

Posted by kf...@collab.net.

Branko Čibej <br...@xbc.nu> writes:
> [Cc'inf dev@ with the design proposal]
> Stefano Spinucci wrote:
> 
> >I searched through todo, open issues, notes etc, but I didn't find any
> >document about signing commit.
> >
> >I'd like to read some development notes, if available, to see what
> >choice are already made and what not (ie if you are going to use
> >OpenPGP, or whatever else).
> >
> Ah! The changeset-signing design exsists in several developers' heads. :)
> 
> Well, I wrote up what I can remember of our discussions about this; see
> 
>     http://svn.collab.net/repos/svn/trunk/notes/changeset-signing.txt

Heh.  Now I'm embarrassed for my earlier mail. Branko, it might help
to know that I set my mailreader to do duplicate message folding, so I
didn't see the above when reading users@, where I was responding from
when I wrote:

> I don't know what plans Branko was referring to (in the mail from him,
> quoted below).  He may have been following some threads that I wasn't,
> or something.  Branko?

Thanks for [having done] the writeup.

-K

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org