On 20.11.2015 15:20, Mark Phippard wrote: > I've always felt the same, but now that I've used SSH more (with Git) I > kind of question it. > > Are HTTP client certs much better than passwords?
Please ... SSL/TLS client certs. Just nitpicking to make sure we use correct terminology. > The cert itself still > has to be physically secured and if you protect the cert with a passphrase > then you have all of the same cache problems that passwords do. Yup. > With SSH there is infrastructure like ssh-agent that just does not exist > for HTTP. s/HTTP/TLS/ but otherwise, yes. Also with X509 certificates you force users to either rely on a 3rd-party authority or create self-signed certs, which are equivalent to SSH keypairs, just a lot more complicated to manage. It's, IMO, it would be a better idea to integrate, e.g., libssh2 directly into our code as an alternative to using an external SSH tool. I'm sure we could make long-term tunnel management work on the RA level. -- Brane > On Fri, Nov 20, 2015 at 9:16 AM, Bert Huijben <[email protected]> wrote: > >> With the right tooling both operations should be equivalent. Perhaps it is >> easier to spend time on that. >> >> >> >> Bert >> >> >> >> Sent from Outlook Mail <http://go.microsoft.com/fwlink/?LinkId=550987> >> for Windows 10 phone >> >> >> >> >> >> >> *From: *Philip Martin >> *Sent: *vrijdag 20 november 2015 12:21 >> *To: *Ivan Zhakov >> *Cc: *Daniel Shahaf;[email protected] >> *Subject: *Re: svn+ssh long-lived daemon >> >> >> >> >> >> Ivan Zhakov <[email protected]> writes: >> >> >> >>> 5. HTTPS authentication using client certificates >> >> >> Client certificates are a possibility. There are some drawbacks: the >> >> signing authority has to be maintained, revoking a certificate is more >> >> complicated than removing a key from the authorized_keys file. >> >> >> >> -- >> >> Philip Martin >> >> WANdisco >> >> >> >> >> > >
