RFC - CVS Signed Commit & Replay Attacks
Derek Price
derek at ximbiot.com
Thu Oct 6 21:50:35 CEST 2005
Hi all,
I mentioned on this list a few days ago that I am implementing
gpg-signed-commits for CVS. This is somewhat of a new area for me, and
I was hoping to trust GPG to solve most of the security issues, but it
turns out this doesn't cover the possibility of replay attacks. We've
been discussing this for a few days on bug-cvs at nongnu.org, but it feels
somewhat like we are stumbling around in the dark and I was hoping for
some comments from people more familiar with this sort of thing. The
current end of the thread is here:
<http://lists.gnu.org/archive/html/bug-cvs/2005-10/msg00037.html>.
Probably not more than two messages back in that thread are particularly
relevant, unless you want to laugh at our ignorance.
For background, the gpg-signed-commits design is Wikied here:
<http://ximbiot.com/cvs/wiki/index.php?title=GPG-Signed_Commits>. If
you would care to comment on any other shortcomings in this design, that
would be welcome too.
Thanks,
Derek
--
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek at ximbiot.com>
More information about the Gnupg-users
mailing list