Ok, thanks to all for making this clear. I'm not very familiar with SSL/TLS so I misunderstood this function from SSL/TLS. On 12/21/2010 05:43 PM, Alan Buxey wrote:
Hi,
Yes, I was talking about the TLS public certificate, sorry for leaving this out.The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting.
No, I think you're confused. Perhaps you're referring to the trusted CA cert used to sign your public server cert. The CA which signed your server cert has to be installed as a trusted CA on the client (or resolve to one via a cert chain).
Generally you don't want clients to install trusted CA certs. Therefore your server cert must be signed by a CA which is normally trusted and hence previously installed. Usually that means a commercial CA which you pay to sign your server cert.
aye. you dont HAVE to install the server public cert as that will be transferred to the client during the creation of the SSL/TLS tunnel. what the client does need, AND trust, is the public cert of the CA that signed the server.
in this way, the web of trust is created.
so...if you have a public system I'd advice you use a well known CA to sign your server... a CA whose public keys are already in the OS.
for a private, closed loop system - eg 802.1X authentication I'd still go for a private CA - yes, you have the issue of CA distribution onto the clients but you avoid the issue that anyone can pay and get a CA signed by a well known CA that your clients would trust (closed-loop method)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- \ / Sol-3 GmbH& Co. KG Julian Labus --o-- Sol-3 An der Klostermühle 1 Phone: +49 6123 7029 18 / \ D-65399 Kiedrich Fax: +49 6123 7029 29 USt-ID: DE 204978307 eMail: jl@sol-3.de Register: WI HRA 6607 Komplementär: Sol-3 Verwaltungs-GmbH Register: WI HRB 117786 Geschäftsführer: Norbert Geus, Dirk Zoller