Trust Anchor: Using a CA for the APC
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Project Moonshot |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Currently, the documentation for Moonshot assumes that a certificate hash will be used for verifying the certificate presented by the APC IdP.
It would be useful if it were possible for a CA (public or private) root certificate to be trusted instead of the subordinate certificate, allowing key changes and revocation. To do this correctly would also require use of a CRL or OCSP.
A quick search indicates wpa_supplicant supports OCSP stapling:
"When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue."
And CRL checking:
added support for verifying certificate revocation list (CRL) when
using integrated EAP authenticator for EAP-TLS; new hostapd.conf
options 'check_crl'; CRL must be included in the ca_cert file for now
I do not know if FreeRADIUS supports this functionality - wpa_supplicant uses OpenSSL too, so in theory it should.
Changed in moonshot: | |
status: | New → Fix Committed |
importance: | Undecided → Wishlist |
milestone: | none → pilot6 |
Changed in moonshot: | |
status: | Fix Committed → Fix Released |