Mark Hammond schrieb:
Chris quoting Jim:
...
I would support HTTP anonymous checkouts. I'm really against writable HTTP checkouts because I consider the credentials mechanism for HTTP access to be extremely lame.
whether SVN or not, I'm guessing any use of HTTP basic authentication mechanism qualifies as "extremely lame"! I've no idea if this is what Jim meant though :)
Well, I hope ;) he meant client certificates. This is doable but a bit of work for the certificate people to issue one to the user in addition to the ssh-pubkey stuff. Not actually quite in line w/ what you should do as a CA but possible and not more insecure then current ssh-pubkey auth would be a script which can be run with the ssh-useraccount and produces/registeres a given client certificate for that user. Something like: ssh cert.zope.org generate >mycert.csr when your ssh-pubkey is set up. And likewise ssh cert.zope.org retract <mycurrentcert.csr to disable a given client certificate. Just some mad ideas... Regards Tino PS: there is no need to have an official CA, any private setup would do.