Someone feel free to challenge me here, or give a +1
In summary: The pfSense UI should not allow users to delete certificates
because admins may be unaware of the implications.
In detail: In OpenVPN, certificates are trusted by way of them being
signed by the CA (i.e. pfSense), that is, trusted "indirectly" by way of
the signature. That makes sense given the fundamentals of
certificates. However as long as OpenVPN is keeping a copy of every
certificate it mints (e.g. in case they they need to be revoked) why are
the certs not "simply" trusted "directly"?
The problem in my mind is that the UI appears to allow people to delete
certs that aren't being used by a user, when in fact they should
absolutely not be. They should instead be 'revoking' old/unused
certificates. In my mind, reasonable assumption would be that that when
certificate is deleted, it is no valid for use. This appears to be
incorrect. I observe that 'deleted' certs are 100% valid, and can to be
used to login to the VPN server (until the certificate expires).
So my first thought is that the delete button should be changed to a
REVOKE button. However it would better in my mind to simply trust ALL
certs "directly". This would allow an admin to be 100% aware of all
trusted "keys to the castle" currently in existence. As it stands, a
naive admin could delete certs, (incorrectly believing he has thrown
away the key), and a rogue admin could 'mint' an unlimited number of
certs (then delete them) and there would be no record of these
back-doors the system.
Obviously "direct trust" is not plausible in the application of the WWW,
but directly trusting certs in a VPN application seems preferable given
the comparatively small number of certs, as well as the explicit
(premeditated) nature of granting VPN access.
Am I missing something here?
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
