You're right... I would have argued for a passphrase if the remote client were anything but his home desktop computer; I figured one copy in a fixed installation was probably only going to cause trouble if his computer was stolen from the house, and in that case I could revoke the cert more or less immediately on the server.
> I was written up for insubordination in a previous position, because I defied the manager of security’s request to configure PPTP with MS-CHAP(v1) for “legacy clients,” who he couldn’t name. He was terminated about 6 months later after finding kiddie porn on his home computer. He was using the corporate network as a proxy. Sick people are everywhere.
Good lord. That's really disturbing... both the pr0n crime, and the stupidity crime of using your own corporate network as a proxy, and trying to con another employee into participating. I suppose he didn't want to use TOR or something similarly suitable... anyway, yikes.
This was over 10 years ago before TOR was even a mainstream thing. Apparently he’d been caught doing it in the past but they didn’t know what was actually being downloaded, just that his company machine was being used to proxy it to his home computer.