On 3/17/08, Alon Bar-Lev <alon.bar...@gmail.com> wrote:
> On 3/17/08, Christophe Vandeplas <christo...@vandeplas.com> wrote:
>  > >  So back to my original idea... Use the management interface to prompt
>  >  >  the user to select a certificate.
>  >
>  >
>  > What does that mean for the end-user? If I understand it correctly the
>  >  user will need to do the following:
>  >  - start tunnel/openvpn
>  >  - open webbrowser and select certificate
>  >  - enter key (where? webinterface?, cli?)
>
>
> No no no... The OpenVPN GUI should handle all this... Prompt the user
>  with a list of certificates for him to choose.
>  The OpenVPN GUI may also be improved to execute some helper script to
>  filter out the list.

Looks I misunderstood the management interface. I always understood it
was the web-management... What you are referring to looks great !!

>  >  The thing is that some implementations of middleware (the Belgian eID
>  >  middleware, based on opensc) prompts the user with a GUI windows for
>  >  entering the password. (at least on MS Windows, not on my mac).
>  >  This window is started from the opensc layer and thus independent of
>  >  the layer above (openvpn). (please correct me if I'm wrong)
>
> I believe you are wrong and referring to the CSP alternative. PKCS#11
>  provider should not issue UI.

I should take a deeper look in the sources of the belgian middleware
to confirm this theory...

>  >  Isn't it also a possibility to include both ways? If yes I think we
>  >  should rewrite it a little to prevent duplicate code as much as
>  >  possible...
>
>
> I don't understand why the management interface solution is not sufficient.

Just a misunderstanding from my side with the certificate
selector/management and a web-interface...
Having such a management (gui,cli) is a great idea.

A question might be: Is there need for a system like the patch I
wrote, knowing your management patch should be included?

Here's my likes-dislikes (like I understand it):
pkcs11-match:
- more code
+ transparent thingie for the end-user, no need to understand concepts
of certificates
pkcs11-magement:
+ user has choice of cert
- user has choice of cert

I'll have a deeper look at your management patch, maybe I can find a
way to add the pkcs11-match principle in your code with almost no
extra complexity and redundant code.
Do you think it's worth the effort? Or better wait for the results and
feedback from the management part?


Thanks for your interest and input !

Christophe

Reply via email to