Logging EAP-TLS certificate details

Michael Ströder michael at stroeder.com
Wed Mar 24 21:21:46 CET 2021


On 3/24/21 8:26 PM, Roberto.Franceschetti at ocfl.net wrote:
> Why in the world should we be limited to assigning one specific
> certificate to one single IoT?
Because everything else is stupid.

> We are actually assigning individual certificates for each vehicle,

Good.

> but what it we didn't want to as we were satisfied in knowing that
> each Fire station had its own certificate for their devices?
Using the same private key on various devices is really bad practice.
Because if one device is compromised you have to modify all affected
devices which imposes more risk for your availability. Especially in
case of physically moving entities (vehicles) you don't want that.

I even saw people distributing their wild-card TLS server cert with a
single private key issued for a second-level domain to hundreds of
different TLS servers. Well, something like this is clearly asking for
trouble.

> There are too many scenarios, and again, NONE OF THIS IS AN ISSUE IF
> YOU LOG THE SERIAL NUMBER AND ISSUER of the cert used to
> authenticate.
Maybe I don't understand you. But if you're using the same X.509 cert on
several devices it would always be the same 2-tuple (issuer name, serial
no). You would still need to log and/or attribute-map other device
information along with that.

Ciao, Michael.


More information about the Freeradius-Users mailing list