Re: Simplify OpenVPN blob handling






OTOH if she is keeping her cert deliberately secure on an encrypted USB
storage device, and it gets copied to the unencrypted hard drive, she
might not be able to connect tomorrow because she's been *fired* for
this breach of security policy.
What kind of security policy requires you to encrypt your USB drives but not your hard drive? That seems 
contrived to me. Besides, we already copy certificates if they are stored as blobs inside the .ovpn file - I 
think it's better to be consistent here.

And if her cert expires and she renews it, even if she is still
employed, she's going to get very confused when NM is still using the
*old* certificate that she's *deleted* from the USB stick and replaced
with a new one.
Either she is technical enough to generate her own keys and certificates, in that case it'll be trivial for 
her to update her NetworkManager settings accordingly. Or she's not, in which case her administrator will 
give her a USB stick with the new configuration and she'll import it just as she did before. I think that 
from a "normal user" pov, copying is definitely what I'd expect. I certainly did.

If you do this, make it *optional* and make it clear that you're doing
it.
How to do that?

And in fact, do *not* import it to a file elsewhere; import it into
gnome-keyring and refer to it by its PKCS#11 URI.
Yeah, except she may well not be using gnome. We might be able to come up with something based on the 
freedesktop secret service api, I'll look into it.
cf. https://bugzilla.gnome.org/show_bug.cgi?id=679860



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]