> Then cvs:// could mean connect to port 2401 and ask
> what authentication methods are valid. The server would respond with a list and
> the client would use whatever it thinks is the most secure to authenticate and set
> up an encryption stream.
Oooh, no, you *DON'T* want to do that -- it's a classic "man in the
middle" attack. I can sit between you and the server and force you to
downgrade to a lower security level. Early SSL had this problem.
Designing security protocols is hard. Recommend we stick to one hard
problem (source control) here.
/r$
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
