Re: [Monotone-devel] private key needed for sync?

[Richard Levitte - VMS Whacker]

In message <address@hidden> on Tue, 07 Jun 2005 20:31:07 +0200, Zbynek Winkler 
<address@hidden> said:

zwin> Brian Campbell wrote:
zwin> 
zwin> > You need to have a key in the server so the client can make
zwin> > sure it's connecting to the right server. Otherwise, someone
zwin> > could set up a bogus server so when you sync to it, all of
zwin> > your private code is sent to the malicious server.
zwin> 
zwin> That sounds reasonable. But I am confused by the tutorial and/or
zwin> monotone behavior :(. Why does it use something called "private
zwin> key" for server identification? I thought that "private key" is
zwin> for identification of the commiter?

It follows the same basis as, for example, SSH.  A SSH server requires
a host key (which is a private/public key pair).

zwin> Also the error message says it is looking for "signing key" and
zwin> not for server identification key...

Actually, it's more about authentication than identification.
Authentication with private/public key pairs is usually done by
signing a chunk of random or semi-random data.

This is fairly basic cryptographic operation.  You should read up on
the basics.

zwin> > By the way, it looks like you've named your collection
zwin> > marocode.  It would probably be better to follow the reverse
zwin> > domain name naming convention, so it would be
zwin> > cz.matfyz.zw.marocode or cz.cuni.marocode or whatever domain
zwin> > it is you want to use. We discussed possibly moving to a URL
zwin> > like convention, like zw.matfuz.cz/marocode, but that hasn't
zwin> > happend yet because the slash conflicts with the slash used in
zwin> > the selector syntax.

I'd suggest zw.matfuz.cz+marocode.  The + sign doesn't conflict with
anything that I know of.

zwin> I felt it would be usability deficiency to force users to always
zwin> specify the whole url when switching to another branch, so I
zwin> went with shorter names.

... until you synchronise your database with some other project that
just happens to have a branch called 'marocode'.  The convention of
having your comain baked into the branch names isn't there to annoy
you, there's a very real reason.  Actually, if you happen to look into
the monotone repository some day, you will notice that it started out
with a branch called 'monotone'.  I guess the developper learned :-).

zwin> I think we'd need some form of short/long branch names or some
zwin> user aliases for the branch names or a project name (the long
zwin> stuff) and a branch name within the project. The goal would be
zwin> to specify the long stuff with the url only once...

Well, considering the operations where branches are commonly specified
save those branch names as a default, you really don't need to specify
them that often.  However, there was some talk about having local
short aliases for the standard branches a while ago.  I wonder what
happened with that discussion.

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte                         address@hidden
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis