On Wed, Mar 16, 2011 at 11:40 PM, Ron Wilson <ronw.m...@gmail.com> wrote: >> I need to read up on ~/.fossil and _FOSSIL_ though to see if there's >> any risk of accidental information leak when pushing/pulling. The >> question is if the client key should be stored in the database, or if >> it's safer to store a reference to it instead, and keep the actual key >> outside (in the file system). > > I would keep the certs, themselves, completely outside of Fossil or > any other VCS, just storing paths to the files containing the certs.
Yeah, and another point I thought of was that it also makes it much easier to globally update the certificate/key in case the certificate gets revoked or expires. (Which happens..). > Even the public certs. The public certs you use are your means for > authenticating who you trust. You want to be very careful accepting > them. That's true for distributed web of trusts, but if you're using PKI you (typically) use the CA certificate to verify the authenticity of a client certificate. It's a different trust model. >> On that note.. Planning a little bit further into the future here. Is >> anyone interested in "full" support for PKI in fossil? For instance, >> signing commits using a client key belonging to a certificate > > Signing commits is a good idea. I would recomend invoking gpg (or > other crypto tool) to generate and validate signatures, rather than > even using a library. Tools like gpg receive a huge amount of > scrutiny, so it is very probably safer than performing those functions > in Fossil. I know this goes against the Fossil philosophy of providing > a single, self-contained executable, but this is one area where using > a dedicated, purpose-made tool for the job makes sense. As Joshua mentioned, gpg signing is already supported. But my proposition was to add another trust model, for organizations/industries which are not allowed to trust anything but PKI structures. Anyway, that's further down the road; just wanted to see if there was any immediate interest for PKI in fossil. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
