Re: Apple Devices not trusting Comodo SSL Certificate on initial Wireless Connection

[Rich Graves <rcgraves () BRANDEIS EDU>]

No, you need a profile, period. Or a leap of faith by the client – I kinda
like the way that Windows 10 presents that choice to the user. “Do you
expect to find this network in this location?”



For HTTPS, security depends on consistency between the name the user types
(or at least sees) in the address bar, and the name on the SSL certificate
(which must be signed by a trusted third party). For WiFi, there is no
address bar and no fully qualified domain name that can be traced to a
physical entity. There is no absolutely no technically provable
relationship between the SSID (name of the wireless network) and the
authentication server behind it. Therefore, we must hard-code the triplet
of SSID, authentication server, and certificate authority into the client
wireless configuration.



See:
https://docs.google.com/presentation/d/1M3ETLK1VkYfUlJyTmkoLH5Ex-1CSE1y-stDVITDvQJA/edit#slide=id.g63659399_1_96



There is very little reason to go with a public CA rather than a long-lived
private CA for 802.1X. I used to say “no reason” but manual configuration
can be ever so slightly easier on Android.