>OTOH if she is keeping her cert deliberately secure on an encrypted USB
>storage device, and it gets copied to the unencrypted hard drive, she
>might not be able to connect tomorrow because she's been *fired* for
>this breach of security policy.
What kind of security policy requires you to encrypt your USB drives but not
your hard drive? That seems contrived to me. Besides, we already copy
certificates if they are stored as blobs inside the .ovpn file - I think it's
better to be consistent here.
>And if her cert expires and she renews it, even if she is still
>employed, she's going to get very confused when NM is still using the
>*old* certificate that she's *deleted* from the USB stick and replaced
>with a new one.
Either she is technical enough to generate her own keys and certificates, in
that case it'll be trivial for her to update her NetworkManager settings
accordingly. Or she's not, in which case her administrator will give her a USB
stick with the new configuration and she'll import it just as she did before. I
think that from a "normal user" pov, copying is definitely what I'd expect. I
certainly did.
>If you do this, make it *optional* and make it clear that you're doing
>it.
How to do that?
>And in fact, do *not* import it to a file elsewhere; import it into
>gnome-keyring and refer to it by its PKCS#11 URI.
Yeah, except she may well not be using gnome. We might be able to come up with
something based on the freedesktop secret service api, I'll look into it.
>cf. https://bugzilla.gnome.org/show_bug.cgi?id=679860
_______________________________________________
networkmanager-list mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/networkmanager-list
