On Mon, 2010-12-06 at 07:30 -0500, Daniel Shahaf wrote: > Ideally, Subversion won't know the PGP passphrase. (If it does, then > a malicious libsvn_subr can compromise a private key.)
I think you're trying to solve a different problem here. The goal is to minimize typing of passwords without storing passwords in a fixed medium, not to protect keys against malicious or broken Subversion code. > For comparison, the ssh-agent protocol[1] only allows a client of the > agent to authenticate himself (using the agent) to a third party, but > does not have a "Retrieve secret key" option [2]. If we are to use PGP, > could we find a solution with similar properties? ssh-agent has special knowledge of the operations which will be performed using the keying material. PGP probably doesn't have any interest in the operations Subversion needs to do with passwords. PKCS#11 is the most commonly used general API for operations where an application can use a key but isn't allowed to know what it is. The most useful free software implementation of PKCS#11 is probably NSS. I don't think we want to go there, though.
