ietf
[Top] [All Lists]

Re: Security for the IETF wireless network

2014-07-25 08:11:17
Hi,

This is what I get (Windows 7):

Radius Server:           services.meeting.ietf.org
Root CA:                 Starfield Class 2 Certification Authority

The server "services.meeting.ietf.org" presented a valid certificate issued 
by "Starfield Class 2 Certification Authority", but
"Starfield Class 2 Certification Authority" is not configured as a valid 
trust anchor for this profile. Further, the server
"services.meeting.ietf.org" is not configured as a valid NPS server to 
connect to for this profile.

Sure. That's because you should never "just connect" to a IEEE 802.1X
network. You configure the security properties you expect *first* (i.e.
install/mark as trusted the CA, the expected server name, the EAP types
that are supposed to be supported on this network, an anonymous outer
identity if you like/need) - and *then* you actually connect, and see if
the server you arrived at is the one you expect.

This is a wholly different security model that website-certificate-TLS.

I've been in touch with the NOC earlier about this. The IETF network
website really needs to *publish* these expected security details, then
you need to *configure* them - and only then is the network secure, and
guaranteed to be the genuine IETF one.

There are also tools which generate installation programs for these
security properties so that unsuspecting users don't have to know or
realise what this "CA" thing is in the first place.

I run a website which does these things; and am perfectly fine with
handing out installers with digital signatures for the IETF network use.

If you're curious hop over to https://802.1x-config.org (and
particularly the "Take the tour" for explanations:
https://802.1x-config.org/tour1.php

Thanks for listening to this slightly ad-laden mail. :-)

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>