Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Certificate validation

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Certificate validation


Chronological Thread 
  • From: Jørn Åne <jorn.dejong AT uninett.no>
  • To: Ruben Vestergaard <rubenv AT drcmr.dk>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Certificate validation
  • Date: Mon, 22 Jan 2018 11:54:34 +0100

On 22/01/2018 11:37, Ruben Vestergaard wrote:
> On Mon, Jan 22 2018 at 11:06:46 +0100, Jørn Åne wrote:
>> On 19/01/2018 14:04, Ruben Vestergaard wrote:
>>> Why does PEAP even bother with TLS if it isn't going to use it?
>
>> When you connect to eduroam, there is no host name you can verify the
>> TLS certificate against.  When you connect to an HTTPS website, you
>> enter a domain name and connect to a server that must present a
>> certificate with the same name.  If the name doesn't match, the
>> certificate isn't valid.
>
>> [...]
>
>> Since there is no way to verify the trustworthiness of
>> the certificate [...]
>
> Ah, but there is a way! Namely installing the signing certificate into
> your trust store.

Yep. That's what the installer does. Or actually, it adds the CA that
signed the certificate, not the certificate itself.

> So what baffles me that every operating system decides to "trust" the
> connection in absence of said certificate, as the security is
> *literally* non-existent without the root cert. And, at least on Apple
> devices, nothing as much as even a warning that what you're doing is
> *absolutely senseless*.

I think you get some certificate screen on macOS and iOS, but it's
easily dismissed by users. At least it remembers the certificate, so
the next time you connect to eduroam it knows not to ask you but just
trust it (since you already accepted it earlier).

> ...unless I'm missing a very fundamental part of the puzzle.
>
> This is probably the wrong place, however, to raise this question; maybe
> rather I should go to my O/S provider(s) and ask them.

They could certainly make improvements to the UI, but the trust problem
is not that easy to solve.

> Thanks for replying!

You're welcome :)


--
Jørn Åne
Systemutvikler
UNINETT AS

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page