On Wed, Jan 13, 2010 at 02:30:20PM -0500, Avery Pennarun wrote: > On Wed, Jan 13, 2010 at 2:18 PM, Ilari Liusvaara > <ilari.liusvaara@xxxxxxxxxxx> wrote: > > I think you're overstating the situation a bit here. You can use > X.509 certificates without setting up a full PKI. Basically, an X.509 > cert is just a public key with some extra crud thrown into the data > file. You could validate it using a PKI, but you could also validate > it by checking the verbatim public key just like ssh does. It's not > elegant, but it works, and it's a worldwide standard. Grossly overcomplicated standard... ASN.1? And there are other usable standards that can be used with TLS. > (I don't know if stunnel does this type of validation... but *I've* > done this with the openssl libraries, so I know it can be done.) AFAIK, it doesn't. > > And how many (relative) use client ceritificates with SSL? Keypairs with SSH? > > Why you think this is? > > At least hundreds of thousands of people, including non-technical > people, use X.509 client certificates and SSL in various big > industries with high security requirements. That is: Epsilon. > That's why every major web browser supports them. Supports != is actually usable. > In contrast, ssh is only ever used by > techies, and there are fewer of those. Of course, as techies our > informal observations might lead us to believe otherwise. Most of those that use git are techies anyway. > Furthermore, how many people who really want ssh-style keypairs (and > thus refuse to use X.509 and PKI) can't just use ssh as their git > transport? I don't actually understand what the goal is here. As said, I got fed up with failure modes of SSH. -Ilari -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html