subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache subversion Wiki <comm...@subversion.apache.org>
Subject [Subversion Wiki] Update of "EncryptedPasswordStorage" by CMichaelPilato
Date Tue, 10 Jan 2012 14:03:35 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Subversion Wiki" for change notification.

The "EncryptedPasswordStorage" page has been changed by CMichaelPilato:
http://wiki.apache.org/subversion/EncryptedPasswordStorage?action=diff&rev1=8&rev2=9

Comment:
Add a (poorly positioned, I know...) open question about gpg-agent's utility and real security
shortcomings.

  
  In theory, Subversion could do something similar, but the short-lived nature of the command-line
client means that a user would typically need to provide the master password as often as they
would their repository credentials (which renders credential caching rather pointless).  This
approach would only be useful if there was a way to securely persist the master password across
command-line client invocations.
  
+ {{{#!wiki note
+ Is there any system extant which is secure when another user might have root access on the
machine?  Surely with keystroke loggers and other sorts of software which a root user could
install, true security on any such a system is flatly unavailable.  So, what is the real impact
of the GPG Agent "SECURITY CONSIDERATIONS" listed above?  How might gpg-agent's default timeout
mitigate that impact?  And finally, could the gpg-agent be used for the storage of not Subversion
passwords, but of merely the "master password" which is used to encrypt/decrypt disk-cached
credentials?
+ }}}
+ 

Mime
View raw message