IETF network security - server-side authentication

[Stefan Winter <stefan.winter@restena.lu>]

Hi,

" Our Radius authentication servers use a certificate that you can
verify by going to this page:
https://www.ietf.org/registration/MeetingWiki/wiki/92net." That page
lists the fingerprints of the certificates used to identify the network.
Fingerprint identification is one out of two ways to validate the
server-side of the network; the other one is PKIX ("The CA which issues
our cert is <a>this</a> and the server CN/sAN:DNS is 'foo.bar'"). Most
client-side configuration UIs only support the latter; you can't usually
pre-configure an expected fingerprint. This means that the user during
connection time needs to interactively observe a popup with a
20-character SHA fingerprint, compare it byte-by-byte with an
out-of-band communicated expected value - guess how many end users will
actually do that; and how many won't bother instead. Also, as soon as
the certificate expires and gets renewed, the fingerprint will change,
which typically throws an alert popup in client devices. PKIX validation
OTOH can be pre-configured on clients - sometimes in an automated way
using "configuration profiles" of sorts ( see my presentation in saag
tomorrow, and
https://tools.ietf.org/html/draft-winter-opsawg-eap-metadata-02 ). It
will also only warn about change of certs only when the *CA* expires
(something in the decades range usually), and even then a good client
can be fed with the old and new CA so that the change doesn't come as a
surprise, and no warning needs to be issued at all. So, I would
appreciate if the network information could in the future be augmented
with the necessary information to identify the network PKIX style. For
extra bonus points, actually do supply configuration profiles, either
handicrafted or using a service like https://802.1x-config.org (I'm
happy to give out digitally signed installers for free to the IETF
Network there). Greetings, Stefan Winter