On 12.11.19 10:28, Michael Richardson wrote: > You were trying to do a CSR with some extra attributes with a CA (using > ACME? Using LetsEncrypt?) and the CA ignored the things that it couldn't > verify?
No, it was a direct request to the CA of our research network. The problem here was, that the CA itself would have had to clarify this with their CA (Telekom Trust Center), because it would mean to set up a new certificate profile. And that wasn't possible for this one usecase. > So, as I understand it, the enrollment process for laptops/phones into > WPA-Enterprise does not include retrieving a set of anchors for that > connection. Or that it is just too hard to do. It works fine if the > devices are compelled by their corporate masters, but this fails for > BYOD, and it fails for cross-realm (which eduroam is). It doesn't. In eduroam this has lead to cat.eduroam.org, where the installers can be downloaded. As Carsten Borman and I already have written in a submission for the IAB DEDR workshop[1], with the need of this tool we also could have used client certificates instead of username/password combinations. For a long time it was easy to connect to eduroam without certificate checking. Especially Android had a very insecure default setting and most of our users just typed in their username and password and connected to eduroam without any certificate check. And if the inner authentication then defaults to PAP an attacker could get many credentials just by setting up a rogue access point in a crowded place. And many universities in Germany use PAP because they don't want a NT-Hashed password in their database. With the expiry of the old Root CA all clients had to change their configuration, because (if set up correctly) the root ca was in fact pinned. We used this rollover to force all our users to use a specific outer identity, to encourage the use of the CAT. Since the expiry we also deny all requests with any other outer identity before the EAP-TLS handshake, to prevent certificate warnings on the user devices. Jan-Frederik --- 1: https://www.iab.org/wp-content/IAB-uploads/2019/05/p16-bormann-wifi.txt
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
