p.mayers at imperial.ac.uk
Fri Jan 20 17:47:11 CET 2012
On 01/20/2012 02:36 PM, Alan Buxey wrote:
> CA distribution was always the issue for private CA - but most sites now go for
> using a deployment tool of some kind to get clients set up - and all of them can deal with
> installing a CA, so thats a problem gone. the system is closed-loop, visitors never need to
> trust your RADIUS server cert...only your own folk do - so why use public in this space?
Couple of things to note:
Firstly, *if* you are using a public CA you should try very, very hard
to ensure your clients are checking the cert CN. This somewhat
alleviates the "anyone can buy a cert" risk.
Secondly, there's not much point in going for a "super cheap" public CA.
You only need one cert, and don't need very esoteric options like EV or
multiple subjectAltNames. This keeps the cost reasonably sane, and
therefore you might as well shell out for a Verisign (or similar) one.
Doing that gives you a slightly better chance the CA will not hand out
random crap to attackers, and *much* better probability the CA will be
present on clients already.
You mention "most sites use a deployment tool". I'd be interested to see
numbers on that, but it's probably OT for the list.
As I've said previously - people thinking of using a public CA should be
very sure they understand and accept the risks. I agree the safe default
is to use a private CA.
More information about the Freeradius-Users