You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Kevin Pilch-Bisson <ke...@pilch-bisson.net> on 2002/04/09 13:57:06 UTC
Re: [Issue 650] Changed - certificate handling
On Tue, Apr 09, 2002 at 01:57:57PM -0000, issues@subversion.tigris.org wrote:
> + ------- Additional Comments From cmpilato@tigris.org 2002-04-09 06:57 -------
> + Given that SSL without certs earns us a CVS-matching encryption level,
> + assigning this a post-1.0 milestone.
>
This cert handling is required to use SSL properly. We need to be able to
verify that the server cert is valid. For example warn about self-signed
server certs, etc.
Without this cert handling, SSL buys us no security whatsoever (well not much
at least).
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Pilch-Bisson http://www.pilch-bisson.net
"Historically speaking, the presences of wheels in Unix
has never precluded their reinvention." - Larry Wall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: [Issue 650] Changed - certificate handling
Posted by Peter Mathiasson <pe...@mathiasson.nu>.
On Tue, Apr 09, 2002 at 04:33:40PM -0700, Greg Stein wrote:
> > I'm not saying this is an important issue for the time being, but
> > sometime in the future it should be implemented.
>
> I have marked issue 650 as "beta". It is arguably a biggish feature to
> implement and could thus be flagged "alpha", but there is no way we could
> call ourselves beta without it.
Sounds fine with me. I'll just use stunnel until then. www.stunnel.org.
--
Peter Mathiasson, peter at mathiasson dot nu, http://www.mathiasson.nu
GPG Fingerprint: A9A7 F8F6 9821 F415 B066 77F1 7FF5 C2E6 7BF2 F228
Re: [Issue 650] Changed - certificate handling
Posted by Greg Stein <gs...@lyra.org>.
On Tue, Apr 09, 2002 at 10:37:41PM +0200, Peter Mathiasson wrote:
> On Tue, Apr 09, 2002 at 11:20:57AM -0400, Greg Hudson wrote:
>...
> > Eh? This is not ssh. Either a certificate is signed by a chain leading
> > to a trusted CA or it's not.
Right. If it is a trusted CA, then caching isn't necessary. If the root CA
is untrusted, then you may still want to trust the cert, so you cache the
fingerprint.
> > I suppose you could cache self-signed certificates so that you'd know if
> > you're getting the same one each time, but certificates do expire, so
> > that's not especially valuble.
Yup, but when a cert expires, then you can requery whether the person wants
to trust it, then cache the new cert/fingerprint.
> I use self-signed certificates, and send them to thoose who need them
> through a trusted channel; phone or gpg signed email.
I expect this will be used a *lot* in development environments. Trust chains
are very different within a dev group, than when you're talking aobut the
Internet as a whole.
> Saving certificate fingerprints, or even whole certificates is a must.
> There should also be a way to pre-install certificates prior to the
> first use.
Yes.
> I'm not saying this is an important issue for the time being, but
> sometime in the future it should be implemented.
I have marked issue 650 as "beta". It is arguably a biggish feature to
implement and could thus be flagged "alpha", but there is no way we could
call ourselves beta without it.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [Issue 650] Changed - certificate handling
Posted by Peter Mathiasson <pe...@mathiasson.nu>.
On Tue, Apr 09, 2002 at 11:20:57AM -0400, Greg Hudson wrote:
> On Tue, 2002-04-09 at 11:04, Kevin Pilch-Bisson wrote:
> > Sorry, I should have read the whole issue. I would say that only a small part
> > of the stuff mentioned in the issue needs to be done for alpha. Namely
> > caching the server certs or there fingerprints so that we can detect
> > man-in-the-middle attacks.
>
> Eh? This is not ssh. Either a certificate is signed by a chain leading
> to a trusted CA or it's not.
>
> I suppose you could cache self-signed certificates so that you'd know if
> you're getting the same one each time, but certificates do expire, so
> that's not especially valuble.
I use self-signed certificates, and send them to thoose who need them
through a trusted channel; phone or gpg signed email.
Saving certificate fingerprints, or even whole certificates is a must.
There should also be a way to pre-install certificates prior to the
first use.
I'm not saying this is an important issue for the time being, but
sometime in the future it should be implemented.
--
Peter Mathiasson, peter at mathiasson dot nu, http://www.mathiasson.nu
GPG Fingerprint: A9A7 F8F6 9821 F415 B066 77F1 7FF5 C2E6 7BF2 F228
Re: [Issue 650] Changed - certificate handling
Posted by Daniel Stenberg <da...@haxx.se>.
On Tue, 9 Apr 2002, Kevin Pilch-Bisson wrote:
> > I suppose you could cache self-signed certificates so that you'd know if
> > you're getting the same one each time, but certificates do expire, so
> > that's not especially valuble.
> This is what I was thinking of. How quickly do the certs expire?
Certs expire at a given date, so it can in fact expire between any two
connects.
> My idea was to do something like:
>
> "Warning self-signed certificate from host foo with fingerprint bar.
> Continue connecting?"
>
> Then cache the result of that, so that the warning only shows up the first
> time.
The expire date is also a readable from the certificate, so it doesn't need
to be a surprise to the client when that happens.
--
Daniel Stenberg - http://daniel.haxx.se - +46-705-44 31 77
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [Issue 650] Changed - certificate handling
Posted by Kevin Pilch-Bisson <ke...@pilch-bisson.net>.
On Tue, Apr 09, 2002 at 11:20:57AM -0400, Greg Hudson wrote:
> On Tue, 2002-04-09 at 11:04, Kevin Pilch-Bisson wrote:
> > Sorry, I should have read the whole issue. I would say that only a small part
> > of the stuff mentioned in the issue needs to be done for alpha. Namely
> > caching the server certs or there fingerprints so that we can detect
> > man-in-the-middle attacks.
>
> Eh? This is not ssh. Either a certificate is signed by a chain leading
> to a trusted CA or it's not.
Right. This isn't implemented yet though, and needs to be.
>
> I suppose you could cache self-signed certificates so that you'd know if
> you're getting the same one each time, but certificates do expire, so
> that's not especially valuble.
>
This is what I was thinking of. How quickly do the certs expire? My idea was
to do something like:
"Warning self-signed certificate from host foo with fingerprint bar. Continue
connecting?"
Then cache the result of that, so that the warning only shows up the first
time.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Pilch-Bisson http://www.pilch-bisson.net
"Historically speaking, the presences of wheels in Unix
has never precluded their reinvention." - Larry Wall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: [Issue 650] Changed - certificate handling
Posted by Greg Hudson <gh...@MIT.EDU>.
On Tue, 2002-04-09 at 11:04, Kevin Pilch-Bisson wrote:
> Sorry, I should have read the whole issue. I would say that only a small part
> of the stuff mentioned in the issue needs to be done for alpha. Namely
> caching the server certs or there fingerprints so that we can detect
> man-in-the-middle attacks.
Eh? This is not ssh. Either a certificate is signed by a chain leading
to a trusted CA or it's not.
I suppose you could cache self-signed certificates so that you'd know if
you're getting the same one each time, but certificates do expire, so
that's not especially valuble.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [Issue 650] Changed - certificate handling
Posted by cm...@collab.net.
Kevin Pilch-Bisson <ke...@pilch-bisson.net> writes:
> Sorry, I should have read the whole issue. I would say that only a
> small part of the stuff mentioned in the issue needs to be done for
> alpha. Namely caching the server certs or there fingerprints so
> that we can detect man-in-the-middle attacks. That's about the only
> thing we're missing compared to CVS with an SSH tunnel.
Will you update the issue accordingly, please?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [Issue 650] Changed - certificate handling
Posted by Kevin Pilch-Bisson <ke...@pilch-bisson.net>.
On Tue, Apr 09, 2002 at 09:07:25AM -0500, cmpilato@collab.net wrote:
> Kevin Pilch-Bisson <ke...@pilch-bisson.net> writes:
>
> > > + Given that SSL without certs earns us a CVS-matching encryption level,
> > > + assigning this a post-1.0 milestone.
> > >
> > This cert handling is required to use SSL properly. We need to be able to
> > verify that the server cert is valid. For example warn about self-signed
> > server certs, etc.
> >
> > Without this cert handling, SSL buys us no security whatsoever (well
> > not much at least).
>
> So what should the milestone be, 'alpha' (my remarks in the issue were
> based *entirely* on comments already in the issue) ?
Sorry, I should have read the whole issue. I would say that only a small part
of the stuff mentioned in the issue needs to be done for alpha. Namely
caching the server certs or there fingerprints so that we can detect
man-in-the-middle attacks. That's about the only thing we're missing compared
to CVS with an SSH tunnel.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Pilch-Bisson http://www.pilch-bisson.net
"Historically speaking, the presences of wheels in Unix
has never precluded their reinvention." - Larry Wall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: [Issue 650] Changed - certificate handling
Posted by cm...@collab.net.
Kevin Pilch-Bisson <ke...@pilch-bisson.net> writes:
> > + Given that SSL without certs earns us a CVS-matching encryption level,
> > + assigning this a post-1.0 milestone.
> >
> This cert handling is required to use SSL properly. We need to be able to
> verify that the server cert is valid. For example warn about self-signed
> server certs, etc.
>
> Without this cert handling, SSL buys us no security whatsoever (well
> not much at least).
So what should the milestone be, 'alpha' (my remarks in the issue were
based *entirely* on comments already in the issue) ?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org