The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Alan Buxey <alan.buxey AT gmail.com>]

You can have a long lifetime , just ensure it's as strong as you can reasonably make it (you might still need to update it if the attack vectors change anyway...) But probably ensure it didn't expire beyond the 2038 32bit date boundary as there's likely to still be interesting unfixed code out there :)

alan

On Wed, 24 Apr 2019, 08:19 Mikael Bak, <bak.mikael AT oszk.hu> wrote:

Matthew, Tony,
Thank you both for your valuable input!

On 2019. 04. 23. 11:47, Matthew Slowe wrote:
>
>
> Current thinking is that a local, long-lived Root CA (which could be
> dedicated to RADIUS authentication) be used and published via CAT then
> service certificates be issued using that.
>
> There’s a pretty good breakdown of the pros and cons (not specifically
> for LE) here:
>
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations 
>

I'm going to suggest to my collegues that we deploy a dedicated,
long-lived Root CA for eduroam in our organization.

I imagine we're going to give a validity time of 10 years to our Root
CA. But on the other hand, what stops us from give it, let's say 20 or
50 years? Any obvious drawbacks?

TIA,
Mikael Bak
To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users