26 Jan
2012
26 Jan
'12
6:18 a.m.
On 01/26/2012 01:43 AM, Matthew Newton wrote:
Public CA - easier as you don't have to distribute the CA cert.
You're open to spoofing attacks where someone can get another cert from the same CA and put it on a rogue RADIUS server. These days it seems anyone can get a public-CA certificate for any domain by just asking for it at the back door...
This depends on the CA. As I've said before, anyone going down this route should pony up and pay top dollar for a reliable cert from a (reasonably!) reliable CA, AND ENSURE that clients are validating the certificate CN. I'm no fan of X.509 or CAs (oh, EAP-EKE - how I wish we could have been together!) but not every CA is terrible!