That is debatable. The device/system then doing the MITM is a prime target for attacking/exfiltration of data since everything is de- and re-encrypted there. A huge single point of failure in my opinion.
> Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.
> Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
Issue certificates for free and have complete control over them?
Imagine if you had all your infrastructure authenticating with DigiNotar issued certificates (that you paid for) only for them to be invalidated in one day.
It's much more likely that your IT staff will bungle things managing your own CA. And less likely that you will notice it and successfully manage the revocation process.
There's a lot of fun to be had when someone steals your root CA private keys undetected, and a lot of time & money to be spent ensuring it doesn't happen despite Murphy's law...
It’d be extremely expensive if every university would have to pay for a full CA root certificate.
Instead, just having a self-signed one, limited to their own domains and subdomains allows them to use eduroam, or provide their own signed software, or sign certificates for people who want to provide their own software, etc.
Safer, simpler, and cheaper. (Although some unis actually have a CA certificate limited to *.uniname.tld)
The German universities do have such a thing: They fund a network with their own backbone and all, called DFN. This organization does have a full CA root certificate which is signed by the globally trusted Deutsche Telekom CA. The DFN then signs certificates for their members. So in short the German universities operate their own CA. I don't think running this is prohibitively expensive as almost every university is member there.
That is debatable. The device/system then doing the MITM is a prime target for attacking/exfiltration of data since everything is de- and re-encrypted there. A huge single point of failure in my opinion.