Re: [RFC 0/2] Git-over-TLS (gits://) client side support

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Wed, Jan 13, 2010 at 02:30:20PM -0500, Avery Pennarun wrote:
> On Wed, Jan 13, 2010 at 2:18 PM, Ilari Liusvaara
> <ilari.liusvaara@elisanet.fi> wrote:
> 
> I think you're overstating the situation a bit here.  You can use
> X.509 certificates without setting up a full PKI.  Basically, an X.509
> cert is just a public key with some extra crud thrown into the data
> file.  You could validate it using a PKI, but you could also validate
> it by checking the verbatim public key just like ssh does.  It's not
> elegant, but it works, and it's a worldwide standard.

Grossly overcomplicated standard... ASN.1? And there are other usable
standards that can be used with TLS.

> (I don't know if stunnel does this type of validation... but *I've*
> done this with the openssl libraries, so I know it can be done.)

AFAIK, it doesn't.
 
> > And how many (relative) use client ceritificates with SSL? Keypairs with SSH?
> > Why you think this is?
> 
> At least hundreds of thousands of people, including non-technical
> people, use X.509 client certificates and SSL in various big
> industries with high security requirements. 

That is: Epsilon.

> That's why every major web browser supports them.

Supports != is actually usable.

> In contrast, ssh is only ever used by
> techies, and there are fewer of those.  Of course, as techies our
> informal observations might lead us to believe otherwise.

Most of those that use git are techies anyway.

> Furthermore, how many people who really want ssh-style keypairs (and
> thus refuse to use X.509 and PKI) can't just use ssh as their git
> transport?  I don't actually understand what the goal is here.

As said, I got fed up with failure modes of SSH.

-Ilari