On Mar 15, 2017, at 6:13 AM, Bjørn Mork <bjorn@mork.no> wrote:
I would say it is a concern for web cerificates as well. You cannot trust them any more than you can trust the long list of public CAs. But that's another discussion :)
Pretty much. Was have been known to give out certificates to the wrong people, and to give out certificates for domains with misleading names.
At least you have a name you can match up against the DN or SNI for a web server. How can the end user verify your RADIUS server certificate? Answer: By verifying the issuer. The DN and SNI are irrelevant, since the user will not know what they are supposed to be (unless you pin the certificate, in which case it could just as well be self signed).
The CA is also pre-provisioned on the users machine.
If the issuer gives cerificates to anyone, like a public CA will do, then anyone can impersonate your RADIUS server,
Exactly. Alan DeKok.