Authentication with Distributed version control systems (DVCS) poses a challenge not seen with centralized systems.  Centralized systems can enforce simple password checking, and you can trust the identities if the system is configured correctly.  Distributed systems lack the ‘identiy oracle’, and cannot securely enforce simple password checking.  Many systems allow you to specify any string as your username and email address without any verification.  This has some obvious security holes - They need to use signatures.

Mercurial and git currently lack inherent cryptographic signatures on commits.  One can optionally sign code, but if one commit is lacking a signature, the scheme fails.  The system needs to be automatic.

The solution is to have an optional mode where every commit is automatically signed using GPG or an equivalent, and branches with unsigned commits in their history are not allowed to be merged.    For open source, this would be sufficient just to log identities (which can still be anonymous).  To limit usage to a set of known keys, one could use an authorized_keys file to limit the acceptable signatures.

Signatures provide a very limited definition of identity. You don’t know who is really behind the keyboard, or if that person has multiple keys. But, if you trust that person, you can decide to trust whatever they sign, and trust that they will keep good control over their keychain.

This entry was posted on Friday, March 6th, 2009 at 1:02 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.