Hi there
Best practice would be to routinely rotate secrets, to mitigate
configuration misuse/loss, etc.
Due to CAs, certificates already support that concept,
but tls-auth/tls-auth do not.
So wouldn't it be a good idea to allow tls-auth/tls-crypt to contain
multiple keys, so that the key could be rotated without an outage (really
like a "major upgrade"). i.e.
1. replace server key with one containing old + new
2. replace client config, replacing old key with new one
3. wait weeks/months (probably) until you know all clients are reconfigured
4. replace server key with just the new one
5. rotation is now complete
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
