The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Matthew Slowe <Matthew.Slowe AT jisc.ac.uk>]

On 24 Apr 2019, at 08:19, Mikael Bak <bak.mikael AT oszk.hu> wrote:

Current thinking is that a local, long-lived Root CA (which could be
dedicated to RADIUS authentication) be used and published via CAT then
service certificates be issued using that.

There’s a pretty good breakdown of the pros and cons (not specifically
for LE) here:

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations 

I'm going to suggest to my collegues that we deploy a dedicated,
long-lived Root CA for eduroam in our organization.

I imagine we're going to give a validity time of 10 years to our Root
CA. But on the other hand, what stops us from give it, let's say 20 or
50 years? Any obvious drawbacks?

I’m not really in a position to advise on this aspect. I can’t find any specific advice on the matter but, generally, I’ve seen organisations use 10 or 20 years. I’ve seen documentation suggesting "20+ years”.

The thing to bear in mind is that the longer it’s valid for, the more likely someone will have “broken” the signature algorithm (remember SHA1 being deprecated?)… so it’s not a panacea for ignoring it!

Regards,

-- 

Matthew Slowe

Technical Specialist - Trust & Identity

Direct: 07442 097185
Team: 0300 300 2212, option 2
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
 
Jisc Trust and Identity Services
UK Access Management Federation - Assent - Certificate Service - Domain Registry and Liberate - fully managed solution for Jisc's access management services

https://jisc.ac.uk/network/trust-and-identity

Attachment: smime.p7s
Description: S/MIME cryptographic signature