Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Certificate validation

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Certificate validation


Chronological Thread 
  • From: Ruben Vestergaard <rubenv AT drcmr.dk>
  • To: Jørn Åne <jorn.dejong AT uninett.no>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Certificate validation
  • Date: Mon, 22 Jan 2018 11:37:38 +0100

On Mon, Jan 22 2018 at 11:06:46 +0100, Jørn Åne wrote:
On 19/01/2018 14:04, Ruben Vestergaard wrote:
Why does PEAP even bother with TLS if it isn't going to use it?

When you connect to eduroam, there is no host name you can verify the
TLS certificate against. When you connect to an HTTPS website, you
enter a domain name and connect to a server that must present a
certificate with the same name. If the name doesn't match, the
certificate isn't valid.

[...]

Since there is no way to verify the trustworthiness of
the certificate [...]

Ah, but there is a way! Namely installing the signing certificate into your trust store.

So what baffles me that every operating system decides to "trust" the connection in absence of said certificate, as the security is *literally* non-existent without the root cert. And, at least on Apple devices, nothing as much as even a warning that what you're doing is *absolutely senseless*.

...unless I'm missing a very fundamental part of the puzzle.

This is probably the wrong place, however, to raise this question; maybe rather I should go to my O/S provider(s) and ask them.

Thanks for replying!

Cheers,
-R



Archive powered by MHonArc 2.6.19.

Top of Page