[WatchDog]

> In the “When using this certificate” dropdown, select “Always Trust.”

Shouldn't it be possible to only enable “Always Trust.” in the "X.509 Basic Policy" setting, instead of allowing the certificate to be used for everything(including SSL)?

[pcthrowaway]

On Mac (which the author appears to be talking about), I believe agreeing to Always Trust when connecting to a WPA3 network only enables it for the "X.509 Basic Policy" setting. I don't know much about how the different trust policies on OSX work though, and it makes me very uncomfortable that trusting self-signed root certificates may become more common for connecting to wifi networks.

If you do trust the root cert for everything, couldn't the access point MITM all your traffic?

[forward1]

Not only MITM traffic, but also run arbitrary software since it could also govern code signing.

[mmalone]

I work at smallstep.

Not sure about the RADIUS server, but connections to the CA use TLS for SCEP and/or ACME DA so the CA root cert needs to be trusted for TLS. There may be some way to configure more narrow trust for just this one interaction, but I'm not aware of any such mechanism in the current releases of macOS/iOS/iPadOS/tvOS.