bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL?


From: Derek R. Price
Subject: Re: SSL?
Date: Mon, 19 Mar 2001 12:36:17 -0500

Attempting to move this discussion to bug-cvs...

Jon Miner wrote:

> * Alexey Mahotkin (address@hidden) [010318 14:44]:
> > Yes, and also it's about flexibility.  In my scheme 'cvs' binary does not
> > know (should not know) about Kerberos, GSSAPI, SSL (this case is somewhat
> > unclear to me, probably CVS-server should indeed somehow control SSL
> > session)
>
> Kerberos/GSSAPI are not the same as SSL..  SSL is simply an encryption
> layer, not an authentication method...  It would need to be controled by
> the server, since you on;y set up the SSL link once..

True, but there might be some sense to consolidating all the encryption into a
single and separate layer as well.

I know that Kerberos/GSSAPI has an encryption scheme built in, though I don't
know how complicated passing off the necessary tokens to a child process would
be.

What are the advantages/disadvantages of making the encryption code part of
the authentication module or another intermediate filter process?  What design
are you using currently, Alexey?

I see obvious advantages to keeping all the GSSAPI code in a single module, as
well as to having a server process which only knows about authenticated
cleartext connections on stdin/stdout, although I'll grant that good coding
can come close to achieving this appearance anyhow.

Of course, as I mentioned before, all of this complicates the design of the
reentrant server that has apparently been in the works, or at least in
planning, for awhile.

Derek

--
Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden         CollabNet ( http://collab.net )
--
As honest as the day is long.

                - S. Z. Sakall as Headwaiter Carl, _Casablanca_






reply via email to

[Prev in Thread] Current Thread [Next in Thread]