On Fri, Sep 09, 2016 at 09:41:17AM -0700, Matthew West wrote:
To this, my technical lead on the project said: ] Need to look at two things here – ] * CRL checks – so that revoked certs do not authenticate ] * Certificate Whitelist of sorts – So only our bunch of certs authenticate
It is apparent that he understands the implication of using the VeriSign chain as our CA. Is it possible to achieve a cert whitelist, say, filter on the e-mail address presented in the certificate?
On FreeRADIUS, look at OCSP in mods-available/eap, and sites-available/check-eap-tls (also in mods-available/eap).
Would that remediate any security concerns, or would that still leave room for abuse?
You can start with a known good secure situation where you have control over all the variables, and do a little bit more work to really tighten it down. Or you could start from a know less secure situation where other people have control over your infrastructure, and try and patch it up to stop people getting in who shouldn't. Your choice... but I know which one I'd go for to make sure access to my network was secure. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>