On Tue, 25 Jan 2005, Didier Conchaudron wrote:
Mathias Sundman wrote:
Your article shows too that some features are still missing in the field
to make openvpn a professional software of choice.
- Full certificate support: actually, the SYSTEM account can't access to
users certificates and private keys which are located into IE cert store.
People with smart cards are actually unable to use them as users only.
It's still unclear to me whether it's whether the system is supposed to
have access to user keys or not though. I though a user key in the
CertStore were encrypted with the users password somehow, and therefor only
available to that user. Is this not true, or are the keys decrypted when a
user logs on so it becomes available to the system as well as long as the
user is logged on?
First, when you import a p12 into IeCertStore, you can crypt the p12 so Ie
will ask you for the password in order to inmport the p12. But this password
is independant of the password protecting the private key. So the p12
password will be asked just one time at import.
If you private key is protected by a password, Ie will not ask you for the
password during import, but this password will be asked by the default CSP(a
window of Ie in fact) each time an apps need to access to the private key.
The process is the same when you use a smart card, the only difference is
that the CSP is from your smart card manufacturer, so the password can be a
PIN code on the card reader(like mine) or a window on your computer.
A basic non-protected private key imported via p12 into Ie certstore can be
accessible via SYSTEM account, I guess. That's the point I need confirmation
So, what you're saying is that if I import a non encrypted private key to
into the IeCertStore, it will be saved in cleartext on my system?
Again, I thought one of the benefits with using the CryptoStore was that
windows protected the key by encrypting it with the normal user logon
If what you say is true, then an originally unencypted private key
imported to the CertStore, can almost as easily as a file, be retrieved
from a stolen laptop's harddrive.
Are you sure about that?
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Openvpn-users mailing list