Am 23.02.15 um 13:55 schrieb David Woodhouse: > On Mon, 2015-02-23 at 09:28 +0100, Arne Schwabe wrote: >> Am 23.02.15 um 09:04 schrieb Vasily Kulikov: >>> management-external-cert 'macosx-keychain:SUBJECT:c=US' >>> >>> With the approach in patch v3 a user has to start openvpn with the >>> config file, start keychain-mcd, and pass identity template as an >>> argument to keychain-mcd. >>> >>> What do you think of the change? >> I like the idea. You could make the macos-keychain in the string optional. > I wouldn't make it optional. Keep it URI-like, with 'macos-keychain' as > the URI scheme. > > We'll also want to support pkcs11: and file: URIs. In both cases we will > have the same issue, with objects accessible only by a user *other* than > the user that OpenVPN runs as. > > GnuTLS HEAD also has support for CNG under Windows, and a system:id=XXX > URI format to specify keys therein. We might even want to support an > agent using that too. > > If any URI scheme is going to be the default, and specifying it is going > to be optional. I'd probably suggest that it be the file: scheme. But > better still, just don't have a default. Certainly not macos-keychain :) > > It might also be worth looking to see if the URI format we're using for > the macos-keychain: URIs could be made more similar to the PKCS#11 URI > standard. > All fine. My rationale was like, if I want a certificate with a certain SUBJECT (e.g. CN=schw...@mycoolca.com) etc. it should not matter for men wether I get it from OS X, Windows or Android Certificate store.
Arne
