The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

>  But that would clash with the suggestion for the server certificate
> to sport basicConstraints = critical,CA:FALSE (per
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations).
> Right?

Somewhat. To be honest, I did not find anywhere good advice on how a
truly self-signed certificate should look like. It's clear that it has
to have Issuer == Subject (or it wouldn't pass as self-signed) but if
you ask search engines on that specific topic you'll find plenty of
people who advocate that CA should be true; and many others who claim
that CA false is so much better.

It looks like it doesn't actually matter. The logic with CA certificates
in PKIX is that the chain is at least 1 cert long. But that's not true
in this case - it's a zero-length chain and that's pretty much undefined
behaviour. It's like asking the question whether the number 1 is a
prime: you can argue to both sides, and the only thing that saves you is
to define it one way; arguing alone will not give you a definitive answer.

That's why I don't like totally self-signed certificates (and we have
improved the realm reachability checks to cater for this special case
just a few weeks ago; we didn't even consider this path before).

I hope few people use them, but if it works for them, fine.

Greetings,

Stefan Winter

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature