On Mon, 15 Jan 2007, Shawn O. Pearce wrote: > "Shawn O. Pearce" <spearce@xxxxxxxxxxx> wrote: > > Andy Parkins <andyparkins@xxxxxxxxx> wrote: > > > Of course my favourite is git, but we were talking about the certificates > > > needed by monotone for each developer. > > One problem here is a certificate does not make a security system. > Obviously anyone can generate a certificate and claim anything they > want within it, just the same as you can claim anything you want in > a Git commit or tag. What's needed is some external method that > all interested parties trust to verify a given certificate is > associated with a given entity. > > > What I'm actually doing in one particular environment is checking > > the committer string against a database of known committer strings > > associated with the current UNIX uid. > > In this particular case access to the UNIX system is tightly > controlled. Much paperwork must be filled out and signed by multiple > people, all of whom recognize the user on sight and know why they > need access to that system. They also have checked the user's > identity through multiple background checks, fingerprinting, etc. > > In other words the entire authentication problem was already solved, > trusting the UNIX uid just let Git plug into that seamlessly. > > The problem is obviously harder on the Internet. I've never > met anyone on this mailing list in person, but the quality (or > lack thereof sometimes) is evident in my work, and since its all > peer-reviewed anyway Junio finds little risk in incorporating the > good stuff into git.git. No certificate required. In theory, we could put certificates as blobs in the repository and reference them in the commit header. The names and such in the certificate would, of course, not be verified in any particular way, but the fingerprint would be an effective identity. We'd be able to tell that a commit was prepared by someone with access to the same certificate that was used to build the reputation. If we saw certificates with different fingerprints with the same name, we'd know to ask what was going on, because that's suspicious. Of course, there would be no requirement to sign commits, or to have a certificate, or to get anyone in particular to say anything in particular about a certificate. But you'd be able to create a pseudonym if you wanted and have cryptographicly secure access to it. -Daniel *This .sig left intentionaly blank* - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html