cert bootstrap bug? (was Re: definitely, I have a problem witheap-tls)
sergioyebenes at alumnos.upm.es
Fri Aug 22 15:51:57 CEST 2008
Ivan Kalik escribió:
>> However, there may be multiple servers, each with its own cert. Why
>> should a client cert be signed by one server when it may be used with
>> other servers?
> (radius) Server certificate doesn't have to be unique. You can copy the
> same certificate to all the radius servers that will be accepting
> clients issued by that certificate.
> Ivan Kalik
> Kalik Informatika ISP
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I was thinking, in this pki A trust in B only if A certified B. There
maybe better solutions, responding to real life, like A trust in B only
if B give credentials accepted by A. By this way, the general
certification architecture is more dynamic. Server administrator only
are worried about serverside pki but, he must have crl's from clientside
pki, and can accept whatever he wants.
It's only an opinion, i think freeradius is a great job :) for example
with its modular behavior and configuration possibilities.
More information about the Freeradius-Users