eduroam Development VC Minutes 2024-02-27 1530 CET

Attendance

Attendees

  • Stefan Winter (Restena)
  • Anders Nilsson (SUNET)
  • Stefan Paetow (Jisc)
  • Tomasz Wolniewicz (PSNC)
  • Zbigniew Ołtuszyk (PSNC)
  • Ed Kingscote (CANARIE)
  • Chris Phillips (CANARIE)
  • Maja Górecka-Wolniewicz (PSNC)
  • Janfred Rieckers (DFN)
  • Christian Rohrer (Switch)
  • Fabian Mauchle (Switch)
  • Mike Zawacki (Internet2)
  • Guy Halse (TENET)
  • Alan DeKok (FreeRADIUS)
  • Zenon Mousmoulas (GRNET)
  • Louis Twomey (HEAnet)
  • Ed Wincott (Jisc)

Regrets

Agenda / Proceedings

  1. Welcome / Agenda Bashing

  2. CAT

2.1. Admin API requested update

  • advanced statistics output has been added (NRO can now get all state data about IdPs along with the current download stats)
  • final testing and usage instructions to follow (optional flag for the FED call)

2.2. was there activity on assessing non CA:[FALSE|TRUE] certs in cat.eduroam.org to see who is not doing certs very well?

  • no immediate updates; UI changes to flag this condition is in the works
  • CA certs can be dumped for analysis

  1. eduPKI Issuance adventures

    • be prepared to wait 48h until eduroam DB changes are ingested with certainty
    • US-ASCII is so 2024.
    • all requested names will be transliterated into ASCII.

  2. IETF / EAP-FIDO updates

    • EAP-FIDO document is in editing (deadline next IETF approx. 6 Mar)
    • RADIUS/1.1 draft: updated
    • RADIUS/(D)TLS draft: somewhat stuck; Alan plans to do a thorough review to move things further; some movement in IETF participants - more resources for advancing
    • Hackathon will feature Janfred coding on EAP-FIDO. Remote participation may be possible.
    • WBA: fixing issues in RADIUS Accounting
    • WBA: EAP-TTLS-TLS to prevent client cert leaking personal info
      • But there is already privacy support in EAP-TLS itself (RFC5216), see section 2.1.4! No need to invent a new inner method to EAP-TTLS.
      • Maybe worth bouncing this back to WBA with “What you want is the Privacy supporting mode of EAP-TLS.” Or maybe not; apparently not implemented anywhere not able to signal this mode.
    • The privacy issue will go away by itself with TLS 1.3 becoming predominant.
    • EAP-TTLS-TLS will fix this for previous versions (but will this new inner method reach devices out there that have these previosu versions? To be seen.)

  3. OpenRoaming

    • crowd-sourced coverage map now available at http://static-openroaming-map.s3-website-us-east-1.amazonaws.com/
    • goes to show that there is more than Canary Wharf and Tokyo! (1.5M APs approx. currently)
    • based on WiGLE app (wardriving); now supports RCOI extraction
    • current map includes hotspots with 004096 (which is arguably incorrect, those are not OpenRoaming hotspots)

  4. AOB / next VC

    • 12 Mar 2024, 1530 CET
  • No labels