The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Ruben Vestergaard <rubenv AT drcmr.dk>]

On Mon, Jan 22 2018 at 11:06:46 +0100, Jørn Åne wrote:
> On 19/01/2018 14:04, Ruben Vestergaard wrote:
> > Why does PEAP even bother with TLS if it isn't going to use it?

> When you connect to eduroam, there is no host name you can verify the
> TLS certificate against.  When you connect to an HTTPS website, you
> enter a domain name and connect to a server that must present a
> certificate with the same name.  If the name doesn't match, the
> certificate isn't valid.

> [...]

> Since there is no way to verify the trustworthiness of
> the certificate [...]

Ah, but there is a way! Namely installing the signing certificate into 
your trust store.

So what baffles me that every operating system decides to "trust" the 
connection in absence of said certificate, as the security is 
*literally* non-existent without the root cert. And, at least on Apple 
devices, nothing as much as even a warning that what you're doing is 
*absolutely senseless*.

...unless I'm missing a very fundamental part of the puzzle.

This is probably the wrong place, however, to raise this question; maybe 
rather I should go to my O/S provider(s) and ask them.

Thanks for replying!

Cheers,
-R