eduroam Development VC Minutes 2024-01-02 1530 CET

Attendance

Attendees

• Stefan Winter (Restena)
• Stefan Paetow (Jisc)
• Tomasz Wolniewicz (PSNC)
• Ed Kingscote (CANARIE)
• Zbigniew Ołtuszyk (PSNC)
• Maja Górecka-Wolniewicz (PSNC)
• Chris Phillips (CANARIE)
• Halil Adem (GRNET)
• Zenon Mousmoulas (GRNET)
• Ed Wincott (Jisc)

Regrets

• Guy Halse (TENET)

Agenda / Proceedings

1. Welcome / Agenda Bashing

2. geteduroam: new Apps!

   • release on 2 Jan (thanks for not doing it just before Christmas!)
   • some translations in (Android has almost all recent translations, Apple prod version not yet)
   • time for updating user instructions etc.
   • local downloads on cat.eduroam.org need to be updated, too
   • criticism on translation sources: the source language is not always aligned/identical between the two apps
   • glossary function is now available to mitigate slightly mismatching terms
   • inst and profile names are still in English language, regardless of existence of a name variant in a language that matches the app language

2a. CAT/geteduroam vs. Microsoft InTune?

• If using InTune, need to curate your Wi-Fi profile data there.
• But then need to sync between two places, InTune and CAT - why?
• There are probably(?) more devices covered in CAT than in InTune; so working just with InTune is insufficient
• Could exclude the Wi-Fi bit from InTune management, and do all eduroam things from CAT/geteduroam.
• Is that acceptable to typical admins?
• Demarcation line could be along corporate (use InTune for the entire device mgmt) vs. BYOD (use CAT/geteduroam, less intrusive on BYOD devices); this seems to be a generally accepted and working messaging

1. Add a CAT API call for all info about a federation

   • Combination of DATADUMP-FED + all STATISTICS-INST calls in one go. Thoughts?
   • Could be included in the DATADUMP-FED call?
   • SW, TW to investigate this in code
   • https://github.com/GEANT/CAT/blob/master/web/admin/API.php#L194

2. Read-only mode for fed admins?

   • special device for dump of inst data exists ( call with ?hidden=1 and then download the “Test” device - which is a ZIP file with all data settings)
   • a more integrated approach with real read-only access in the UI to see, but not change, settings, could be useful
   • lots of support from attendees of the call
   • maybe not display the full list, but allow to search for single inst

3. show/warn expired intermediate or root CAs in admin mode

   • CAs are flagged visually only if they are of a wrong type; expiry has no UI bearing
   • realm checks already to consider expiry and will warn when executed (but execution of those is manual)
   • should print the expiry date, and alert on/near expiry
   • https://github.com/GEANT/CAT/blob/master/web/lib/admin/UIElements.php#L334

4. OpenRoaming + anonymous outers

   • OR settlement-free is looking into the privacy implications (returning CUI and/or Class) and anonymous outer
   • CAT should also take into account the above
   • problematic spot is if CAT settings enable OpenRoaming, but no anon outer ID is set; this would expose the actual username
   • ideally, enforce that anon outer ID is set when IdP wants to enable OpenRoaming support
   • issue on GitHub to be opened by StefanP
   • ChrisP: @stefanP: anonymous123456@realm.tld is one we’re using - and should be a valid one…

5. AOB / next VC

   • 16 Jan 2024, 1530 CET