The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

> You can have a long lifetime , just ensure it's as strong as you can
> reasonably make it (you might still need to update it if the attack
> vectors change anyway...) But probably ensure it didn't expire beyond
> the 2038 32bit date boundary as there's likely to still be interesting
> unfixed code out there :)

The eduroam Managed IdP server root CAs expire:

            Not After : Nov  1 11:25:43 2068 GMT

We have seen no issues whatsoever with this point in time, which uses
the X.509 generalizedDate format.

They have RSA-4096 bit keys and the chain uses the SHA-512 signature
algorithm; again, no issues there.

Using ECDSA for certificates is a bit more problematic with old clients.
Our eduroam Managed IdP client certificates are partly ECDSA on P-384
curve and partly RSA, depending on the target operating system's support
for elliptic curve cryptography.

Greetings,

Stefan Winter

> 
> alan
> 
> On Wed, 24 Apr 2019, 08:19 Mikael Bak, <bak.mikael AT oszk.hu
> <mailto:bak.mikael AT oszk.hu>> wrote:
> 
>     Matthew, Tony,
>     Thank you both for your valuable input!
> 
>     On 2019. 04. 23. 11:47, Matthew Slowe wrote:
>     >
>     >
>     > Current thinking is that a local, long-lived Root CA (which could be
>     > dedicated to RADIUS authentication) be used and published via CAT then
>     > service certificates be issued using that.
>     >
>     > There’s a pretty good breakdown of the pros and cons (not specifically
>     > for LE) here:
>     >
>     >
>     
> https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations
>  
>     >
> 
>     I'm going to suggest to my collegues that we deploy a dedicated,
>     long-lived Root CA for eduroam in our organization.
> 
>     I imagine we're going to give a validity time of 10 years to our Root
>     CA. But on the other hand, what stops us from give it, let's say 20 or
>     50 years? Any obvious drawbacks?
> 
>     TIA,
>     Mikael Bak
>     To unsubscribe, send this message: mailto:sympa AT lists.geant.org
>     <mailto:sympa AT lists.geant.org>?subject=unsubscribe%20cat-users
>     Or use the following link:
>     https://lists.geant.org/sympa/sigrequest/cat-users
> 
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys