Re: Security for the IETF wireless network

[Stefan Winter <stefan.winter@restena.lu>]

Hi,

> Meaning, you'd be happy if we replace "Do not validate server
> cert" with "If you'd like to validate the server cert, you can import
> the public key <a href="...">here</a>, or the fingerprint is
> 53 63 6f 6f 62 79 20 44 6f 6f 62 79 20 44 6f 6f 21"?

Basically, yes. Client device UI typically offers two ways for cert
validation; ideally, you'd put both on the website.

a) if you just click/tap to connect (let's call it "ignorance mode ;-)
", all PKIX validation is ignored, UIs typically only present you with
the CN of the *server cert* and the fingerprint of the *server cert*. So
the IETF web site should publish name and fingerprint of the server cert
(on its HTTPS variant of course, to establish trust in this information
in the first place)

b) if you are a good user, you'd establish the PKIX CA root on your
client device. For that, the IETF web site should provide the *root CA*
certificate for download (plus its fingerprint for extra paranoia
checks), along with the expected *server CN*.

Since you provision the CA cert anyways, it doesn't matter if it's a
commercial CA or your own purpose-built one. If you want to roll your
own, eduroam folks have a huge load of instructions and considerations
which cert properties should be in that certificate. See here:
https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

Of course you can add PDF instructions for Windows users how to import a
CA etc., and many networks do that. Or you make use of such automatic
installer tools which do the job on the user's device automatically. I
think I mentioned one already ;-) , and that I'm happy to give the
Enterprise edition of it away for free to the IETF network:
https://802.1x-config.org .
Greetings,

Stefan Winter