top | item 38875191

(no title)

mmalone | 2 years ago

Well... the title is hyperbolic (as titles are wont to be), but the goal was to configure Wifi that aligns with the CNSA Suite[1] / CNSSP 15[2], which I think is fair to call "NSA-grade" since they wrote the standard.

If the NSA wants to get a certificate that your system trusts there are already dozens of organizations with root certs in your system trust store that they can strongarm. Most organizations can't afford to have the NSA in their threat model. You better not be using public clouds, GSuite, Okta, Azure AD/Entra, etc. This is a difficult security posture to maintain, especially at scale.

For most organizations, delegating the operation of sensitive security infrastructure to a third party results in better security, not worse. Yes, you're trusting a third party. But you're also outsourcing sensitive security operations to experts.

And, we also have on-prem and open source if you really need something air-gapped ;)

[1] https://en.wikipedia.org/wiki/Commercial_National_Security_A... [2] https://www.cnss.gov/CNSS/issuances/Policies.cfm

discuss

Animats|2 years ago

Historically, cryptosystems are broken through weaknesses in key distribution, not by cracking the encryption outright.

mmalone|2 years ago

Correct.

e12e|2 years ago

> And, we also have on-prem and open source if you really need something air-gapped ;)

You support a self-hosted foss solution that enables on-prem wpa3 eap tls?