Leonard Isham wrote:
[snip]
Btw, MSDN cryptoapi docs don't talk about a way to get userspace certs
from a SYSTEM rights. I think a way to solve this issue would be to make
openvpn deals with a userspace component which one could get the
certificate and supply desired data to openvpn at tunnel startup. This
userspace component could be openvpn-gui or another program. I really
don't know if this kind of solution is technicaly possible. Only true
openvpn hackers could ;-)
All good points. I must add a couple of my own.
1) OpenVPN is cross platform.
Yes, those certificates problems are only windows-related. Linux and
*BSD don't have such problems to make user certs available to root.
2) Apparently a MS design implementation. Could possible be rectified
by having the service use the user login instead of system.
First, the certificate way of things like MS have coded it is not bad
because it's quite usefull to disable user certificate access for
admin/system. The MS problem comes from the missing of a su/sudo system
in order to allow a user to temporary access other account data/rights.
Your suggestion about moving the service into userspace is not the
solution because we need a system-space service in order to set up the
tunnels(which require admin/system rights) instead of users, because
they're not allowed to.
Finally, on win32 and in a company context, a system-space service is
necessary to achieve tunnel set up, a user-space program is necessary in
order to get the user certs and to let him choose when he want to set up
the tunnel.
3) At this stage I think changes of this magnitude, as you suggest,
would most likely be post 2.0. James an the other brains behind this
would know better.
The new service wrapper was soon considered as a post 2.0 feature.
Perhaps more.
The big problem is that we actually have a single binary which is able
to do everything, a great gui which allow end-users to interact easily.
And what we are talking about is a global system, actually usefull for
few of us, which will need 2 or 3 components in system/user space for
just one platform. But this small case is what will bring openvpn on top
of proprietary vpn challengers.
Is our community ready to get to a such level? Do we want to? In a
personnal point of view, I think openvpn is a great piece of code and it
deserve to be famous and widely used.
Didier
