IETF Logo Mail Archive

Re: Security for the IETF wireless network

Stefan Winter <stefan.winter@restena.lu> Fri, 25 July 2014 15:32 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C62091B296B for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 08:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMdgzVVIZJKc for <ietf@ietfa.amsl.com>; Fri, 25 Jul 2014 08:32:32 -0700 (PDT)
Received: from smtp.restena.lu (legolas.restena.lu [IPv6:2001:a18:1::34]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1CC1B298F for <ietf@ietf.org>; Fri, 25 Jul 2014 08:32:23 -0700 (PDT)
Received: from smtp.restena.lu (localhost [127.0.0.1]) by smtp.restena.lu (Postfix) with ESMTP id 7A7C2F1065; Fri, 25 Jul 2014 17:32:22 +0200 (CEST)
Received: from viper.local (unknown [158.64.15.196]) by smtp.restena.lu (Postfix) with ESMTPSA id E84AC9DD0B; Fri, 25 Jul 2014 17:32:21 +0200 (CEST)
Message-ID: <53D27884.6090508@restena.lu>
Date: Fri, 25 Jul 2014 17:32:20 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Bill Fenner <fenner@fenron.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: Security for the IETF wireless network
References: <0FE63216-9BE8-450F-80FB-D1DB6166DFEF@ietf.org> <53D17359.2030505@gmail.com> <CFF7BAFE.28A14%wesley.george@twcable.com> <53D25789.8000804@restena.lu> <CAATsVbY44t7QvDNe4UcBfM1MpzkphZYCyHPz=Mwax95fSpjmFg@mail.gmail.com> <53D2687A.8030608@gmail.com> <CAATsVbbY7p5bsaFgju+jcsi9WP31=Wnh+Eo0cuJRaCNBuuDZ_w@mail.gmail.com>
In-Reply-To: <CAATsVbbY7p5bsaFgju+jcsi9WP31=Wnh+Eo0cuJRaCNBuuDZ_w@mail.gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="RJrGocdkjIJOBPhmI6hqfsIrxQDjHDPWK"
X-Virus-Scanned: ClamAV
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/4PSSBomqMFAoVxTxBOE5IjnmZwU
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 15:32:35 -0000

Hi,

>
> Sorry, I assumed that this was just an annoying dialog and there was a
> checkbox for "do it anyway".  We will have to find a way to manage the
> usability on Windows, whether that means "buy a cert from someone who
> is in Microsoft's default trust list too" or "provide instructions for
> Windows users" or what.
>

A common misunderstanding. There *is no* default trust list for IEEE
802.1X purposes. Even on Microsoft, you have to tick the checkbox on the
one CA you trust for this connection. Due to that, whether you paid for
a commercial CA's cert or just created a self-signed one doesn't matter;
self-signed simply adds the extra step of importing the CA in the first
place. Both need the user to TheRightThing(tm).

The instruction can be "use this .exe that we provide, it will push the
right knobs for you." That's why I mentioned my website which gives you
such installers.

Stefan

v2.23.0 | Report a Bug | By Email