FreeRADIUS with 2 certs/CAs etc

Alexander Clouter alex at digriz.org.uk
Thu Oct 1 11:27:15 CEST 2009 

Hi,

Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
> Say you have a nice FR setup...all is going well and everything is 
> fine but then you have an issue with the certificate - eg its going to 
> expire , or its been revoked...then you are going to have to have a 
> new certificate for your FR server - but your clients will have the 
> old certificate and CA - and your new clients will have the new cert 
> and CA..and you might not be able to sort out all your clients for 
> some time - hopefully before the final day of cert validity!
>
So my rant to the JANET certificate service reached your desk eh? :-/

So others have a clear view of the situation, most of Europe's academic 
world can get free SSL signed certificates with the clause they cannot 
be used for financial transactions.  Great, everyone with 802.1X 
deployed nabbed them up....as did a lot of web monkeys.  In the web 
monkey world no one cares what Root CA is used to sign the server 
certificate...in the 802.1X world you hard code what the Root CA is 
meant to be and also the subject line; unless you are keen to have Bad 
People(tm) nick all your users credentials with an Evil Twin(tm) access 
point attack. :)

This I'm pretty sure you are familar with.  Now, usually for Root CA 
changing your timetable for migration is at least a year in advance of 
the expiry date of the existing one.  During this year the new clients 
you prime will accept the Root CA to be one of two (your existing Root 
CA and the one you are planning to move to).  The following year you 
remove the old one.  This seems to work well for us as every year it's a 
new batch of students coming through and all the existing ones have 
managed to persuade their parents that unless they get a new computer 
every year they will fail their degrees. :)

Imagine you are now told, you know those freebie cert's you and everyone 
else are using with the expiry date that is 18 months away...it's being 
revoked in April for no technical reason...[snipped politics].

Now the constraints, off the top of my head, probably more:
 * we do not control or administer the workstations that connect to our 
	network (they are not part of an AD domain and centrally 
	managed); we deal with student's and staff's personal kit
 * emails to users asking them to download new software is obviously not 
	a great idea, plus even if you get the wording right only about 
	30% will probably make the amendment
 * 'death' occurs in April, the new term has started and the new batch of
	students/lapdogs are already online
 * when there is a subject mismatch error, the client simply does 
	nothing but grumble there was an issue; unless you got a Mac 
	then you just blindly click "I want the rope to be this long..."

In short I cannot see a workaround...

The longer story...there is a vaguely possible way that has a chance of 
working if the planets are correctly aligned but it is so horrible[1] I 
would never recommend or deploy it; as the 'exit strategy' is messy.
 
Anyone who figures it out, and is crazy enough to deploy it on their 
network...thumbs up to you you crazy animal...but I plead, do not 
unleash the horrors unto the world or advertise it's existence.  It's 
like a nuclear bomb, great when you have it...but really would you trust 
*everyone* else with it? ;)

Cheers

[1] besides it would only immunise around 50% of the UK federation; 
	the portion that is using FreeRADIUS, Radiator probably could be 
	kludged too though

-- 
Alexander Clouter
.sigmonster says: List was current at time of printing.

More information about the Freeradius-Users mailing list