Hi, > Meaning, you'd be happy if we replace "Do not validate server > cert" with "If you'd like to validate the server cert, you can import > the public key <a href="...">here</a>, or the fingerprint is > 53 63 6f 6f 62 79 20 44 6f 6f 62 79 20 44 6f 6f 21"? Basically, yes. Client device UI typically offers two ways for cert validation; ideally, you'd put both on the website. a) if you just click/tap to connect (let's call it "ignorance mode ;-) ", all PKIX validation is ignored, UIs typically only present you with the CN of the *server cert* and the fingerprint of the *server cert*. So the IETF web site should publish name and fingerprint of the server cert (on its HTTPS variant of course, to establish trust in this information in the first place) b) if you are a good user, you'd establish the PKIX CA root on your client device. For that, the IETF web site should provide the *root CA* certificate for download (plus its fingerprint for extra paranoia checks), along with the expected *server CN*. Since you provision the CA cert anyways, it doesn't matter if it's a commercial CA or your own purpose-built one. If you want to roll your own, eduroam folks have a huge load of instructions and considerations which cert properties should be in that certificate. See here: https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations Of course you can add PDF instructions for Windows users how to import a CA etc., and many networks do that. Or you make use of such automatic installer tools which do the job on the user's device automatically. I think I mentioned one already ;-) , and that I'm happy to give the Enterprise edition of it away for free to the IETF network: https://802.1x-config.org . Greetings, Stefan Winter
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature