[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL?
|
From: |
Derek R. Price |
|
Subject: |
Re: SSL? |
|
Date: |
Mon, 19 Mar 2001 12:36:17 -0500 |
Attempting to move this discussion to bug-cvs...
Jon Miner wrote:
> * Alexey Mahotkin (alexm@hsys.msk.ru) [010318 14:44]:
> > Yes, and also it's about flexibility. In my scheme 'cvs' binary does not
> > know (should not know) about Kerberos, GSSAPI, SSL (this case is somewhat
> > unclear to me, probably CVS-server should indeed somehow control SSL
> > session)
>
> Kerberos/GSSAPI are not the same as SSL.. SSL is simply an encryption
> layer, not an authentication method... It would need to be controled by
> the server, since you on;y set up the SSL link once..
True, but there might be some sense to consolidating all the encryption into a
single and separate layer as well.
I know that Kerberos/GSSAPI has an encryption scheme built in, though I don't
know how complicated passing off the necessary tokens to a child process would
be.
What are the advantages/disadvantages of making the encryption code part of
the authentication module or another intermediate filter process? What design
are you using currently, Alexey?
I see obvious advantages to keeping all the GSSAPI code in a single module, as
well as to having a server process which only knows about authenticated
cleartext connections on stdin/stdout, although I'll grant that good coding
can come close to achieving this appearance anyhow.
Of course, as I mentioned before, all of this complicates the design of the
reentrant server that has apparently been in the works, or at least in
planning, for awhile.
Derek
--
Derek Price CVS Solutions Architect ( http://CVSHome.org )
mailto:dprice@collab.net CollabNet ( http://collab.net )
--
As honest as the day is long.
- S. Z. Sakall as Headwaiter Carl, _Casablanca_
- Re: SSL?,
Derek R. Price <=