On Fri, Jun 12, 2009 at 12:50 PM, Jakub Narebski<jnareb@xxxxxxxxx> wrote: > Constantine Plotnikov <constantine.plotnikov@xxxxxxxxx> writes: >> On Fri, Jun 12, 2009 at 11:56 AM, Daniel Stenberg<daniel@xxxxxxx> wrote: >>> On Fri, 12 Jun 2009, Nanako Shiraishi wrote: >>> >>>> It would be ideal if you can inspect the certificate and decide if you >>>> need to ask for decrypting password before using it (and otherwise you don't >>>> ask). If you can't do that, probably you can introduce a config var that >>>> says "this certificate is encrypted", and bypass your new code if that >>>> config var isn't set. >>> >>> Is this really a common setup? Using an unencrypted private key sounds like >>> a really bad security situation to me. The certificate is never encrupted, >>> the passphrase is for the key. >>> >> For SSH using unencrypted private key is very common for scripting and >> cron jobs. For HTTPS situation looks like being worse since there is >> no analog of ssh-agent that covers at least some of scripting >> scenarios. Do we want to disable scripting for HTTPS? > > Actually you can use _encrypted_ private keys together with ssh-agent > and for example keychain helper for scripting. You have to provide > password to all listed private keys only once at login. I wonder if > something like this would be possible for HTTP certificates... I would love something like this - it would be useful for SVN as well. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html