Jakub Narebski wrote: >> For SSH using unencrypted private key is very common for scripting and >> cron jobs. For HTTPS situation looks like being worse since there is >> no analog of ssh-agent that covers at least some of scripting >> scenarios. Do we want to disable scripting for HTTPS? > > Actually you can use _encrypted_ private keys together with ssh-agent > and for example keychain helper for scripting. You have to provide > password to all listed private keys only once at login. I wonder if > something like this would be possible for HTTP certificates... I wonder if it might be possible using a PKCS#11 interface? e.g. there are various "software" PKCS#11 implementations (<http://trac.opendnssec.org/wiki/SoftHSM> springs to mind). If you store your keys in the PKCS#11 store, and unlock them prior to calling git, then the OpenSSL library might be able to access them without a passphrase. Locking the PKCS#11 store would then secure the keys. A little cumbersome, but possibly workable. Rogan -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html