On Mar 7, 2011, at 4:03 PM, Arran Cudbard-Bell wrote: > > On Mar 7, 2011, at 3:57 PM, Alan Buxey wrote: > >> Hi, >> >>> 1) It validates the server cert to assure it's signed by a CA it trusts >>> (possibly via a cert chain). >>> >>> 2) It then validates the certificate subject to make sure the server it >>> thought it was connecting to appears in the certificate (either as the >>> certificate subject or one of the certificate subject alternate names). >>> >>> If either 1 or 2 fails it should abort the connection. >>> >>> If it were possible on an SSL/TLS connection to impersonate another >>> server then most of PKI would be a complete failure. >>> >>> So why does this group think PKI doesn't work? >> >> check the supplicant configuration. note the parts where the client >> can be told to validate that the server has a particular CN. >> >> thats the issue. if the client knows the CA then it can be happily >> duped...one >> of the causes of this is with eg HTTPS, the client is told to connect to a >> particular host name entry...and there are A records to check etc. with >> 802.1X its just EAP. layer 2 physical, no way of doing anything else. > > Uhuh relying on a for profit organisation to properly verify the information > provided for every CSR that comes its way seems like a bad idea to me too. >
Though I guess there's probably no box saying 'I promise not to use this certificate to harvest credentials from another one of your customers'... and I guess that should be 3rd party... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html