On 20 November 2015 at 22:02, Branko Čibej <[email protected]> wrote: > On 20.11.2015 15:20, Mark Phippard wrote: >> I've always felt the same, but now that I've used SSH more (with Git) I >> kind of question it. >> >> Are HTTP client certs much better than passwords? > > Please ... SSL/TLS client certs. Just nitpicking to make sure we use > correct terminology. > > >> The cert itself still >> has to be physically secured and if you protect the cert with a passphrase >> then you have all of the same cache problems that passwords do. > > Yup. > >> With SSH there is infrastructure like ssh-agent that just does not exist >> for HTTP. > > s/HTTP/TLS/ but otherwise, yes. Also with X509 certificates you force > users to either rely on a 3rd-party authority or create self-signed > certs, which are equivalent to SSH keypairs, just a lot more complicated > to manage. > > It's, IMO, it would be a better idea to integrate, e.g., libssh2 > directly into our code as an alternative to using an external SSH tool. > I'm sure we could make long-term tunnel management work on the RA level. > As far I understand Philip's goal to reuse svnserve process on the server, that means we would need ssh protocol server-side implementation in svnserve.
-- Ivan Zhakov
