You're assumptions are ruling out legitimate use cases. laptop? What
laptop? How about connections that need to be completely automated
because there isn't a user there to enter a passphrase? And the system is
mounted in a rack inside a concrete room with a locked steel door? Of
course you also have to pass the front desk, security cameras, and at
night there are that those pesky door sensors hooked into the alarm
If your argument is true then ***SSH*** is broken because you can automate
connections with key exchanges. All you need is to get the keys!
Yes there are perfectly valid uses for passphraseless keys. Laptops were my
example for where recording of a passphrase would weaken the security in place
My point still holds though. There is no point having a passphrase on disk if
you have the key on disk. If you can secure access to the key, then there's no
need to have a passphrase and you can automate the system, as you say.
In any case where manual entry of a passphrase is required, then having it
recorded elsewhere would potentially break the system; especially if you have
it recorded on the same medium you store your key on.
In the end, the user has to bear some responsibility for the security of their
In the end the user bears all the responsibility for the security of their
identification, software should permit for as wide a range of use cases
as possible; selecting the proper tools and configuration is the job of
Openvpn-users mailing list