[Openvpn-devel] AW: Re: [Openvpn-devel] PKCS#11 and easy-rsa
> Ondra Medek wrote: >> Hi, >> >> I've made easy-rsa 2.0 support for PKCS#11 (it makes a certificate from a >> token). If you are interested, then it is at >> > > Hello, > > Thank you for your patch. > > In my view it lacks the following features: > 1. Allow the user to specify his own PKCS#11 library. > 2. Generate a new key. This is wide outside of the OpenVPN usage. Is is to be implemented in an PKCS#11 (key) managemement tool but NOT in an VPN daemon. > 3. Load the X.509 certificate into the token. And this too has nonthing to do with the functionality of an VPN daemon. Please: KISS. Keep It Simple and Save. OpenVPN is a small tool to do VPN tunneling. Stuffing not related functionality that seems fancy into it leads to bloatware. Bye Goetz
Re: [Openvpn-devel] AW: Re: [Openvpn-devel] PKCS#11 and easy-rsa
Hi, > >> I've made easy-rsa 2.0 support for PKCS#11 (it makes a certificate from a > >> token). If you are interested, then it is at > >> > > In my view it lacks the following features: > > 1. Allow the user to specify his own PKCS#11 library. > > 2. Generate a new key. > > This is wide outside of the OpenVPN usage. > Is is to be implemented in an PKCS#11 (key) managemement tool > but NOT in an VPN daemon. > > > 3. Load the X.509 certificate into the token. > > And this too has nonthing to do with the functionality of an > VPN daemon. > > Please: > KISS. > Keep It Simple and Save. > > OpenVPN is a small tool to do VPN tunneling. > Stuffing not related functionality that seems fancy into it > leads to bloatware. Honestly to say, I have the same opinion, but Alon Bar-Lev proposed 2. and 3.3. I am not involved in OpenVPN project, but I'd like to help. So I you decide what you need I can try to do it. Cheers Ondra
Re: [Openvpn-devel] AW: Re: [Openvpn-devel] PKCS#11 and easy-rsa
Götz Babin-Ebell wrote: In my view it lacks the following features: 1. Allow the user to specify his own PKCS#11 library. 2. Generate a new key. This is wide outside of the OpenVPN usage. Is is to be implemented in an PKCS#11 (key) managemement tool but NOT in an VPN daemon. The update is for easy-rsa, which is a simple to use interface in order to issue certificates. The easy-rsa is already provided by OpenVPN in order to ease user in the mission of certificate enrollment. 3. Load the X.509 certificate into the token. And this too has nonthing to do with the functionality of an VPN daemon. Please: KISS. Keep It Simple and Save. This what all try to do. OpenVPN is a small tool to do VPN tunneling. Stuffing not related functionality that seems fancy into it leads to bloatware. True... But in order to allow people to use the solution, they should be able to enroll certificates, easy-rsa is a good starting point. Since OpenVPN 2.1 will support PKCS#11 tokens, it would be nice if the easy-rsa interface will also support PKCS#11 as it support software keys. Until now I've assumed that people who use PKCS#11 tokens will enroll them using a different tool, Ondra suggested to add PKCS#11 support to easy-rsa, this is fine! for my opinion it should support a complete enrollment process. Best Regards, Alon Bar-Lev
