From: "Shawn O. Pearce" <spearce@spearce.org>
To: Johannes Sixt <j.sixt@viscovery.net>
Cc: Pierre Habouzit <madcoder@debian.org>,
Sam Vilain <sam@vilain.net>,
git@vger.kernel.org
Subject: Re: [RFC] Authenticate push via PGP signature, not SSH
Date: Thu, 31 Jan 2008 00:43:05 -0500 [thread overview]
Message-ID: <20080131054304.GY24004@spearce.org> (raw)
In-Reply-To: <47A02EA8.50507@viscovery.net>
Johannes Sixt <j.sixt@viscovery.net> wrote:
> Shawn O. Pearce schrieb:
> > I'm currently finishing a side-band-64k protocol extension to the
> > send-pack/receive-pack pair. My next task after I flush those
> > RFC patches out to the list tonight will be to prototype at least
> > some of the auth1 extension I described.
>
> I propose to make the syntax of the extension
>
> server capability: auth=<list of hash methods>:<challenge>
> client response: auth=<chosen hash method>
>
> where <challenge> is a random sequence of non-blank ASCII text, not
> necessarily of a fixed length, but perhaps of a minimum length.
>
> Then we can extend the list of hash algorithms (that are used for
> authentication purposes) if people think that SHA1 is not secure enough:
>
> auth=SHA1,SHA256:random-stuff-goes-here
>
> I'm not a security expert, so take this with a grain of salt.
I'm not certain this is worth the extra complexity.
One reason I proposed "auth-1" as the extension name is so we could
introduce an "auth-2" and make changes in the future if we need to.
But I think there's little value in this authentication hash being
anything other than SHA-1. Remember that the data itself in the
packfile following the authentication is only protected by SHA-1.
If SHA-1 is considered too weak to protect the ref update commands
then its likely also too weak to protect the file content following
behind those same commands.
Getting stronger authentication here than SHA-1 would probably
require changing the commit object name hash to something stronger
than SHA-1, and the tree object name hash, etc. Remember that
signed tags are only using the SHA-1 of the commit and that's only
got the SHA-1 of the tree... ;-)
--
Shawn.
next prev parent reply other threads:[~2008-01-31 5:43 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-28 4:12 [RFC] Authenticate push via PGP signature, not SSH Sam Vilain
2008-01-28 8:12 ` Shawn O. Pearce
2008-01-28 21:06 ` Jan Hudec
2008-01-28 21:58 ` Sam Vilain
2008-01-29 2:57 ` Shawn O. Pearce
2008-01-29 4:10 ` Shawn O. Pearce
2008-01-29 19:08 ` Pierre Habouzit
2008-01-30 4:22 ` Shawn O. Pearce
2008-01-30 5:55 ` Sam Vilain
2008-01-30 6:16 ` Shawn O. Pearce
2008-01-30 8:35 ` Pierre Habouzit
2008-01-30 20:22 ` Sam Vilain
2008-01-30 8:00 ` Johannes Sixt
2008-01-31 5:43 ` Shawn O. Pearce [this message]
2008-01-30 8:33 ` Pierre Habouzit
2008-01-31 4:30 ` Shawn O. Pearce
2008-01-31 9:25 ` Pierre Habouzit
2008-01-30 6:29 ` Sam Vilain
2008-01-30 7:47 ` Shawn O. Pearce
2008-01-31 1:18 ` Sam Vilain
2008-01-28 8:48 ` Pierre Habouzit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080131054304.GY24004@spearce.org \
--to=spearce@spearce.org \
--cc=git@vger.kernel.org \
--cc=j.sixt@viscovery.net \
--cc=madcoder@debian.org \
--cc=sam@vilain.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).