On Sun, 2016-01-24 at 23:02 +0100, Matthias Berndt wrote:
Oh, and there's another thing: afaics, if you don't use inline blobs but files for the certificate/key/ca, nm-openvpn will not copy them somewhere safe (~/.cert, say) – bad idea. Jane User will plug in her USB stick, import her OpenVPN configuration from it and then start cursing the next day when she can't connect any longer after unplugging it.
OTOH if she is keeping her cert deliberately secure on an encrypted USB storage device, and it gets copied to the unencrypted hard drive, she might not be able to connect tomorrow because she's been *fired* for this breach of security policy. And if her cert expires and she renews it, even if she is still employed, she's going to get very confused when NM is still using the *old* certificate that she's *deleted* from the USB stick and replaced with a new one. If you do this, make it *optional* and make it clear that you're doing it. And in fact, do *not* import it to a file elsewhere; import it into gnome-keyring and refer to it by its PKCS#11 URI. cf. https://bugzilla.gnome.org/show_bug.cgi?id=679860 -- dwmw2
Attachment:
smime.p7s
Description: S/MIME cryptographic signature