RFC - CVS Signed Commit & Replay Attacks

Derek Price derek at ximbiot.com
Thu Oct 6 21:50:35 CEST 2005

Hi all,

I mentioned on this list a few days ago that I am implementing
gpg-signed-commits for CVS.  This is somewhat of a new area for me, and
I was hoping to trust GPG to solve most of the security issues, but it
turns out this doesn't cover the possibility of replay attacks.  We've
been discussing this for a few days on bug-cvs at nongnu.org, but it feels
somewhat like we are stumbling around in the dark and I was hoping for
some comments from people more familiar with this sort of thing.  The
current end of the thread is here:
Probably not more than two messages back in that thread are particularly
relevant, unless you want to laugh at our ignorance.

For background, the gpg-signed-commits design is Wikied here:
<http://ximbiot.com/cvs/wiki/index.php?title=GPG-Signed_Commits>.  If
you would care to comment on any other shortcomings in this design, that
would be welcome too.



Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek at ximbiot.com>

More information about the Gnupg-users mailing list