On Wed, 30 Mar 2022 11:25:12 +0000 Mike Gabriel <mike.gabr...@das-netzwerkteam.de> wrote: > With the new Debian Edu rootCA certificate (introduced with Debian Edu > 10) being used as a base for authorizing the relationship between > clients and the network server TJENER, I observe that when plugging > one Debian Edu machine from one Debian Edu network into some other > Debian Edu network the Debian Edu client machine would adjust itself > to the new network (update Debian-Edu_rootCA.crt) during boot time. … > I'd suggest going back to the previous behaviour where a notebook > would only attach itself to one Debian Edu TJENER on first boot and > from then on be only authorized to talk to the LDAP server of that > initial Debian Edu network it was booted in.
Currently, fetch-rootca-cert is either run on bootup (or via DHCP hooks if https://salsa.debian.org/debian-edu/debian-edu-config/-/merge_requests/22 gets merged). The script checks whether /usr/local/share/ca-certificates/Debian-Edu_rootCA.crt exists and is not empty and does nothing if so (see https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/7f7b819882e2fec58fd85d5d52db5248aafed48e/share/debian-edu-config/tools/fetch-rootca-cert#L28). Isn't this already the TOFU behavior you suggest? -- Guido Berhoerster
