Stefan Winter wrote on 10.01.2008 15:51:
Hi,
If the supplicant is not configured that strictly, at the end of the day it does not matter if you rolled your own self-signed RADIUS server cert or you have a cert with its root CA pre-installed.
Actually, It's not quite the same: if the user at least managed to enable to CA checking, then
- for a commercial CA, thousands of untrusted hosts match his check - for a self-signed CA, only one server matches - for a dedicated RADIUS Auth CA, only servers within the administrative reach which are trusted to handle user authentications anyway match
This *is* a win in security vs. commercial CAs.
agreed when you turn off 2/3 of the possible checks, but if he is that unexperienced as many users are, it is easy to trick them into installing/trusting a new rogue CA or self-signed rogue RADIUS server certificate anyway. Don't forget: The user desperately wants his internet connection.... -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski