On Wed, Jan 13, 2010 at 2:18 PM, Ilari Liusvaara <ilari.liusvaara@xxxxxxxxxxx> wrote: >> Please consider my objections revoked, other than the claim that >> it could be done with stunnel, however ugly that would be. > > Only if you don't care about complexity introducing PKI would bring > (yes, I read those manuals). I think you're overstating the situation a bit here. You can use X.509 certificates without setting up a full PKI. Basically, an X.509 cert is just a public key with some extra crud thrown into the data file. You could validate it using a PKI, but you could also validate it by checking the verbatim public key just like ssh does. It's not elegant, but it works, and it's a worldwide standard. (I don't know if stunnel does this type of validation... but *I've* done this with the openssl libraries, so I know it can be done.) >> Of course, you have another problem in that case...also I'd personally >> like to rely on ssl client certificates when using https. > > And how many (relative) use client ceritificates with SSL? Keypairs with SSH? > Why you think this is? At least hundreds of thousands of people, including non-technical people, use X.509 client certificates and SSL in various big industries with high security requirements. That's why every major web browser supports them. In contrast, ssh is only ever used by techies, and there are fewer of those. Of course, as techies our informal observations might lead us to believe otherwise. Furthermore, how many people who really want ssh-style keypairs (and thus refuse to use X.509 and PKI) can't just use ssh as their git transport? I don't actually understand what the goal is here. Have fun, Avery -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html