Re: [RFC 0/2] Git-over-TLS (gits://) client side support

[Avery Pennarun <apenwarr@gmail.com>]

On Wed, Jan 13, 2010 at 2:18 PM, Ilari Liusvaara
<ilari.liusvaara@elisanet.fi> wrote:
>> Please consider my objections revoked, other than the claim that
>> it could be done with stunnel, however ugly that would be.
>
> Only if you don't care about complexity introducing PKI would bring
> (yes, I read those manuals).

I think you're overstating the situation a bit here.  You can use
X.509 certificates without setting up a full PKI.  Basically, an X.509
cert is just a public key with some extra crud thrown into the data
file.  You could validate it using a PKI, but you could also validate
it by checking the verbatim public key just like ssh does.  It's not
elegant, but it works, and it's a worldwide standard.

(I don't know if stunnel does this type of validation... but *I've*
done this with the openssl libraries, so I know it can be done.)

>> Of course, you have another problem in that case...also I'd personally
>> like to rely on ssl client certificates when using https.
>
> And how many (relative) use client ceritificates with SSL? Keypairs with SSH?
> Why you think this is?

At least hundreds of thousands of people, including non-technical
people, use X.509 client certificates and SSL in various big
industries with high security requirements.  That's why every major
web browser supports them.  In contrast, ssh is only ever used by
techies, and there are fewer of those.  Of course, as techies our
informal observations might lead us to believe otherwise.

Furthermore, how many people who really want ssh-style keypairs (and
thus refuse to use X.509 and PKI) can't just use ssh as their git
transport?  I don't actually understand what the goal is here.

Have fun,

Avery