On Fri, 14 Jan 2005 13:28:30 +0100, Didier Conchaudron <did...@conchaudron.net> wrote: > Leonard Isham wrote: > > [snip] > > >>Btw, MSDN cryptoapi docs don't talk about a way to get userspace certs > >>from a SYSTEM rights. I think a way to solve this issue would be to make > >> openvpn deals with a userspace component which one could get the > >>certificate and supply desired data to openvpn at tunnel startup. This > >>userspace component could be openvpn-gui or another program. I really > >>don't know if this kind of solution is technicaly possible. Only true > >>openvpn hackers could ;-) > >> > > > > > > All good points. I must add a couple of my own. > > > > 1) OpenVPN is cross platform. > > Yes, those certificates problems are only windows-related. Linux and > *BSD don't have such problems to make user certs available to root.
Exactly what I meant. > > 2) Apparently a MS design implementation. Could possible be rectified > > by having the service use the user login instead of system. > > First, the certificate way of things like MS have coded it is not bad > because it's quite usefull to disable user certificate access for > admin/system. The MS problem comes from the missing of a su/sudo system > in order to allow a user to temporary access other account data/rights. > > Your suggestion about moving the service into userspace is not the > solution because we need a system-space service in order to set up the > tunnels(which require admin/system rights) instead of users, because > they're not allowed to. > > Finally, on win32 and in a company context, a system-space service is > necessary to achieve tunnel set up, a user-space program is necessary in > order to get the user certs and to let him choose when he want to set up > the tunnel. I wasn't bashing, just stating that it was due to the MS implementation not a bug. > > 3) At this stage I think changes of this magnitude, as you suggest, > > would most likely be post 2.0. James an the other brains behind this > > would know better. > > The new service wrapper was soon considered as a post 2.0 feature. > Perhaps more. > The big problem is that we actually have a single binary which is able > to do everything, a great gui which allow end-users to interact easily. > And what we are talking about is a global system, actually usefull for > few of us, which will need 2 or 3 components in system/user space for > just one platform. But this small case is what will bring openvpn on top > of proprietary vpn challengers. > > Is our community ready to get to a such level? Do we want to? In a > personnal point of view, I think openvpn is a great piece of code and it > deserve to be famous and widely used. > I personally have confidence in the developers. -- Leonard Isham, CISSP Ostendo non ostento.