|
Hi, " Our Radius authentication servers use a certificate that you can verify by going to this page: https://www.ietf.org/registration/MeetingWiki/wiki/92net." That page lists the fingerprints of the certificates used to identify the network. Fingerprint identification is one out of two ways to validate the server-side of the network; the other one is PKIX ("The CA which issues our cert is <a>this</a> and the server CN/sAN:DNS is 'foo.bar'"). Most client-side configuration UIs only support the latter; you can't usually pre-configure an expected fingerprint. This means that the user during connection time needs to interactively observe a popup with a 20-character SHA fingerprint, compare it byte-by-byte with an out-of-band communicated expected value - guess how many end users will actually do that; and how many won't bother instead. Also, as soon as the certificate expires and gets renewed, the fingerprint will change, which typically throws an alert popup in client devices. PKIX validation OTOH can be pre-configured on clients - sometimes in an automated way using "configuration profiles" of sorts ( see my presentation in saag tomorrow, and https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-02 ). It will also only warn about change of certs only when the *CA* expires (something in the decades range usually), and even then a good client can be fed with the old and new CA so that the change doesn't come as a surprise, and no warning needs to be issued at all. So, I would appreciate if the network information could in the future be augmented with the necessary information to identify the network PKIX style. For extra bonus points, actually do supply configuration profiles, either handicrafted or using a service like https://802.1x-config.org (I'm happy to give out digitally signed installers for free to the IETF Network there). Greetings, Stefan Winter |
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature