The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,

W dniu 2015-09-14 o 14:45, Alberto Martínez pisze:
>
> @Tomasz Uploading just the root cert to CAT means that the
> client<->server trust check takes more roundtrips, though it is easier
> to make changes on the trust path later. Are there security concerns
> about uploading the whole CA chain?
I realize that the number of round-trips is higher, but uploading a
whole chain requires device reconfiguration also when an intermediate CA
cert is replaced, which normally should go through smoothly. I am also
quite convinced that in real life you will always find devices that can
only allow root certs and if you want to support them, your server will
need to send the whole chain anyway.

There are good reasons to go either way, I just happen to believe in one
of them :).
Tomasz

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576