dont distribute certificate

Julian Labus jl at sol-3.de
Wed Dec 22 10:29:32 CET 2010


Ok, thanks to all for making this clear. I'm not very familiar with 
SSL/TLS so I misunderstood this function from SSL/TLS.

On 12/21/2010 05:43 PM, Alan Buxey wrote:
> Hi,
>
>    
>>> Yes, I was talking about the TLS public certificate, sorry for leaving
>>> this out.The reason for that is that you only have the ability to
>>> connect to the hotspot if you have manually installed the public cert on
>>> your client before connecting.
>>>        
>> No, I think you're confused. Perhaps you're referring to the trusted CA
>> cert used to sign your public server cert. The CA which signed your
>> server cert has to be installed as a trusted CA on the client (or
>> resolve to one via a cert chain).
>>
>> Generally you don't want clients to install trusted CA certs. Therefore
>> your server cert must be signed by a CA which is normally trusted and
>> hence previously installed. Usually that means a commercial CA which you
>> pay to sign your server cert.
>>      
> aye. you dont HAVE to install the server public cert as that will be transferred to
> the client during the creation of the SSL/TLS tunnel.  what the client
> does need, AND trust, is the public cert of the CA that signed the server.
>
> in this way, the web of trust is created.
>
>
> so...if you have a public system I'd advice you use a well known CA to sign your server...
> a CA whose public keys are already in the OS.
>
> for a private, closed loop system - eg 802.1X authentication I'd still go for a private
> CA - yes, you have the issue of CA distribution onto the clients but you avoid the
> issue that anyone can pay and get a CA signed by a well known CA that your clients
> would trust (closed-loop method)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>    

-- 
   \ /           Sol-3 GmbH&  Co. KG             Julian Labus
  --o-- Sol-3    An der Klostermühle 1           Phone: +49 6123 7029 18
   / \           D-65399 Kiedrich                Fax:   +49 6123 7029 29
                 USt-ID:   DE 204978307          eMail: jl at sol-3.de
                 Register: WI HRA 6607
                 Komplementär:    Sol-3 Verwaltungs-GmbH
                 Register:        WI HRB 117786
                 Geschäftsführer: Norbert Geus, Dirk Zoller




More information about the Freeradius-Users mailing list