On Mon, Feb 23, 2015 at 08:04 -0500, Jonathan K. Bullard wrote: > On Mon, Feb 23, 2015 at 4:00 AM, Gert Doering <g...@greenie.muc.de> wrote: > > > > On Mon, Feb 23, 2015 at 09:28:31AM +0100, Arne Schwabe wrote: > > > > What do you think of the change? > > > I like the idea. You could make the macos-keychain in the string > > > optional. > > > > What Arne said (both parts of it) :-) > > I agree -- the argument to --needs-external-cert should be optional.
Note: Arne said about 'macos-keychain' prefix in the argument being optional, not the argument itself being optional. Acually, I don't think making the argument optional is a good idea -- its parsing would be ambiguous unless it is the last argument in argv. > Note: the argument to --needs-external-cert should be passed on to > "RSA_SIGN", too. (I think Vasily omitted that from his writeup.) > > So the idea would be: > > * Add an optional UTF-8 string argument to --needs-external-cert. > (Perhaps the docs should say this requires support from the management > interface software and that currently such support is only available > when using certain GUIs on OS X.) Right. > * OpenVPN passes that argument to RSA_SIGN and NEEDS-CERTIFICATE, > passing an empty string if the argument does not appear. Why rsa-sign? I think doing it with NEEDS-CERTIFICATE is enough. Identity contains both cert and private key, certificate request is made at first. Rsa-sign uses already chosen identity. > * OS X GUIs such as Tunnelblick and Viscosity see the new RSA_SIGN or > NEEDS-CERTIFICATE argument and use keychain-mcd to deal with it. Other > GUIs ignore it or use something that does something equivalent to what > keychain-mcd does on OS X. Right. > I'm not sure exactly how to add an argument to RSA_SIGN and > NEEDS-CERTIFICATE without breaking existing management interface > software but assume that is possible. (Also, the argument may need to > be escaped when it is passed to RSA_SIGN or NEEDS-CERTIFICATE if it > contains characters that are used as delimiters.) IMNSHO don't change rsa-sign at all and have no API breakage. -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments