On Mon, 2015-01-05 at 13:22 +0300, Vasily Kulikov wrote: > > I see 4 possible alternatives here: > 1) implement keychain rsa offloading in Tunnelblick > 2) make my patch use plugin interface > 3) implement external daemon that communicated with openvpn process via > management interface > 4) the same as 3) but make openvpn able to handle more than 1 > management client > > There are problems with all these alternatives: > (1) is limited to Tunnelblick users and doesn't work for users who start > openvpn from the terminal or use any other GUI > (2) implies plugin interface is expanded to handle two new actions: 'user > certificate request' and 'rsa-sign request' > (3) implies management interface is expanded to handle 'user certificate > request'; also it doesn't work with Tunnelblick or any other tool that > communicates with openvpn via management interface as MI currently > supports only a single client > (4) needs 'user certificate request' addition and expanding management > interface to support more than a single client
It is perhaps worth noting that OpenVPN already *has* a plugin API which supports the "user certificate request" and "rsa-sign request" methods. That is, after all, fairly much what PKCS#11 was *designed* to provide. There are also existing implementations of PKCS#11 RPC such that the actual manipulation of the token can occur in a user-owned process separately from the caller. Perhaps the way forward is to implement the keychain support in the form of a PKCS#11 provider module, which can either be loaded directly in OpenVPN or proxied to run in a user's context. In fact, doesn't such an implementation already exist at https://github.com/slushpupie/KeychainToken ? -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
