An open discussion list for topics related to the geteduroam service

[Martin Pauly <pauly AT hrz.uni-marburg.de>]

Hi Paul,

Am 25.02.2021 um 21:30 schrieb Paul Dekkers (via geteduroam Mailing List):
> I understand your concern; if you have just one intermediate
> certificate it is displayed properly. If you have multiple, like with
> the TCS service popular in our community, it is not displayed
> properly in the settings. Instead, the settings show a red warning
> that you still need to pick one: but that's because the UI can't
> handle. It's just a limitation of the UI, the certificates are
> installed and used. So it's not insecure.

I'm afraid I don't understand everything in this. What point would you have
in putting intermediate certs in a normal eduroam profile anyway?
The standard case is that you give the client a root cert and at least one
server name. This suffices to safely and uniquely authenticate any server
cert signed by the root cert and carrying said name for the whole
lifetime of the CA. All intermediates should be provided by the server.
Our profile is no difference, just one root cert and one server name.

If you're telling me that the picture I see is a purely cosmetic problem,
there is indeed little to worry about. I will try to check next week.

Cheers, Martin

--
Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: pauly AT HRZ.Uni-Marburg.DE
  D-35032 Marburg

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature