On 01/20/2012 02:36 PM, Alan Buxey wrote:
CA distribution was always the issue for private CA - but most sites now go for
using a deployment tool of some kind to get clients set up - and all of them
can deal with
installing a CA, so thats a problem gone. the system is closed-loop, visitors
never need to
trust your RADIUS server cert...only your own folk do - so why use public in
this space?
Couple of things to note:
Firstly, *if* you are using a public CA you should try very, very hard
to ensure your clients are checking the cert CN. This somewhat
alleviates the "anyone can buy a cert" risk.
Secondly, there's not much point in going for a "super cheap" public CA.
You only need one cert, and don't need very esoteric options like EV or
multiple subjectAltNames. This keeps the cost reasonably sane, and
therefore you might as well shell out for a Verisign (or similar) one.
Doing that gives you a slightly better chance the CA will not hand out
random crap to attackers, and *much* better probability the CA will be
present on clients already.
You mention "most sites use a deployment tool". I'd be interested to see
numbers on that, but it's probably OT for the list.
As I've said previously - people thinking of using a public CA should be
very sure they understand and accept the risks. I agree the safe default
is to use a private CA.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
