cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Zenon Mousmoulas <zmousm AT noc.grnet.gr>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] SHA1 sunsetting
- Date: Thu, 7 Apr 2016 14:19:49 -0300
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66
Hi,
> But that would clash with the suggestion for the server certificate
> to sport basicConstraints = critical,CA:FALSE (per
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations).
> Right?
Somewhat. To be honest, I did not find anywhere good advice on how a
truly self-signed certificate should look like. It's clear that it has
to have Issuer == Subject (or it wouldn't pass as self-signed) but if
you ask search engines on that specific topic you'll find plenty of
people who advocate that CA should be true; and many others who claim
that CA false is so much better.
It looks like it doesn't actually matter. The logic with CA certificates
in PKIX is that the chain is at least 1 cert long. But that's not true
in this case - it's a zero-length chain and that's pretty much undefined
behaviour. It's like asking the question whether the number 1 is a
prime: you can argue to both sides, and the only thing that saves you is
to define it one way; arguing alone will not give you a definitive answer.
That's why I don't like totally self-signed certificates (and we have
improved the realm reachability checks to cater for this special case
just a few weeks ago; we didn't even consider this path before).
I hope few people use them, but if it works for them, fine.
Greetings,
Stefan Winter
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] SHA1 sunsetting, Morris, Andi, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Stefan Winter, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Zenon Mousmoulas, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Stefan Winter, 04/07/2016
- RE: [[cat-users]] SHA1 sunsetting, Morris, Andi, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, A . L . M . Buxey, 04/07/2016
- RE: [[cat-users]] SHA1 sunsetting, Morris, Andi, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Tomasz Wolniewicz, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Tomasz Wolniewicz, 04/07/2016
- RE: [[cat-users]] SHA1 sunsetting, Morris, Andi, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, A . L . M . Buxey, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Zenon Mousmoulas, 04/07/2016
- Re: [[cat-users]] SHA1 sunsetting, Stefan Winter, 04/07/2016
Archive powered by MHonArc 2.6.19.