On Mon, 2015-02-23 at 09:28 +0100, Arne Schwabe wrote: > > Am 23.02.15 um 09:04 schrieb Vasily Kulikov: > > management-external-cert 'macosx-keychain:SUBJECT:c=US' > > > > With the approach in patch v3 a user has to start openvpn with the > > config file, start keychain-mcd, and pass identity template as an > > argument to keychain-mcd. > > > > What do you think of the change? > I like the idea. You could make the macos-keychain in the string optional.
I wouldn't make it optional. Keep it URI-like, with 'macos-keychain' as the URI scheme. We'll also want to support pkcs11: and file: URIs. In both cases we will have the same issue, with objects accessible only by a user *other* than the user that OpenVPN runs as. GnuTLS HEAD also has support for CNG under Windows, and a system:id=XXX URI format to specify keys therein. We might even want to support an agent using that too. If any URI scheme is going to be the default, and specifying it is going to be optional. I'd probably suggest that it be the file: scheme. But better still, just don't have a default. Certainly not macos-keychain :) It might also be worth looking to see if the URI format we're using for the macos-keychain: URIs could be made more similar to the PKCS#11 URI standard. -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
