Ivan Kalik escribió:
However, there may be multiple servers, each with its own cert. Why should a client cert be signed by one server when it may be used with other servers?
(radius) Server certificate doesn't have to be unique. You can copy the same certificate to all the radius servers that will be accepting clients issued by that certificate.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I was thinking, in this pki A trust in B only if A certified B. There maybe better solutions, responding to real life, like A trust in B only if B give credentials accepted by A. By this way, the general certification architecture is more dynamic. Server administrator only are worried about serverside pki but, he must have crl's from clientside pki, and can accept whatever he wants. It's only an opinion, i think freeradius is a great job :) for example with its modular behavior and configuration possibilities.