[e12e]

Right. I think it makes a lot of sense to integrate Radius in your product. But the only way giving full trust to a third party ca could be dubbed "NSA-grade" - would be that it puts you within the reach of the NSA by way of an NSL to that third party?

(I'm not generally aiming to mitigate state level actors, but you put "NSA-grade" in the headline...).

[mmalone]

Well... the title is hyperbolic (as titles are wont to be), but the goal was to configure Wifi that aligns with the CNSA Suite[1] / CNSSP 15[2], which I think is fair to call "NSA-grade" since they wrote the standard.

If the NSA wants to get a certificate that your system trusts there are already dozens of organizations with root certs in your system trust store that they can strongarm. Most organizations can't afford to have the NSA in their threat model. You better not be using public clouds, GSuite, Okta, Azure AD/Entra, etc. This is a difficult security posture to maintain, especially at scale.

For most organizations, delegating the operation of sensitive security infrastructure to a third party results in better security, not worse. Yes, you're trusting a third party. But you're also outsourcing sensitive security operations to experts.

And, we also have on-prem and open source if you really need something air-gapped ;)

[1] https://en.wikipedia.org/wiki/Commercial_National_Security_A... [2] https://www.cnss.gov/CNSS/issuances/Policies.cfm

[Animats]

Historically, cryptosystems are broken through weaknesses in key distribution, not by cracking the encryption outright.

[mmalone]

Correct.

[e12e]

> And, we also have on-prem and open source if you really need something air-gapped ;)

You support a self-hosted foss solution that enables on-prem wpa3 eap tls?