eduroam Development VC Minutes 2024-04-09 1530 CEST
Attendance
Attendees
Stefan Winter (Restena)
Stefan Paetow (Jisc)
Zenon Mousmoulas (GRNET)
Tomasz Wolniewicz (PSNC)
Zbigniew Ołtuszyk (PSNC)
Janfred Rieckers (DFN)
Anders Nilsson (SUNET)
Ed Kingscote (CANARIE)
Janos Mohacsi (KIFÜ)
Philippe Van Hecke (BELNET)
Ed Wincott (Jisc)
Alan DeKok (FreeRADIUS)
Louis Twomey (HEAnet)
Wenche Backman-Kamila (CSC/Funet)
Maja Górecka-Wolniewicz (PSNC)
Ingimar Jonsson (RHnet)
Mike Zawacki (Internet2)
Regrets
Chris Phillips (CANARIE) (others to attend)
Agenda / Proceedings
Welcome / Agenda Bashing
CAT
2.1. Admin interface/API updates
API got the new features (statistics along with base data in one call)
many UI improvements, showing and consolidating profile completeness info, certificate problems, OpenRoaming status
RADIUS tests improvements coming, too
Should CAT do more central monitoring, and inform admins in case of problems?
Monitoring can certainly be done; not necessarily inside CAT but as a part of the “monitor” suite. Information should not be public, not alert the IdP/SP directly -> only exposed to NROs
Would need its own API to enable integration into NROs own ops overview
2.2. CA:[FALSE|TRUE] root certs in cat.eduroam.org
Extended data mining possibilites thanks to Ed’s scripts for CA inspection
Wrap-Up provided (e.g. found commercial CA without CA:TRUE); more details for a next VC
~ 0.79% of profiles with a CA that is not CA:TRUE
Additional 10 profiles with CA that is not CA:TRUE, but they have an additional CA:TRUE alongside, suggesting migration/non-issue, but will require some deeper checking.
“VeriSign Class 1 Public Primary Certification Authority - G3” is a commercial certificate that doesn’t appear to have CA:TRUE. 2 Profiles use this, but they also appear to have many many roots loaded. (~150 per profile)
IETF / EAP-FIDO updates
IETF Brisbane meeting took place, with “EAP-FIDO inside”
radext made good progress on several documents
RADIUS/1.1 is on its way out (ETA sometime this year)
RADIUS/TLS still in the works; together with
RADIUS/UDP deprecation
EMU Recording of the Session@IETF119
Platform Authenticators don’t typically speak FIDO CTAP (but do WebAuthn)
sth proprietary instead; and not necessarily prepared to extend use beyond web
new FIDO spec coming up, for “derived keys”
Blast!RADIUS
Updates? Alan D
Microsoft has asked for more time (until July) but chances are that this will not be granted, given that other vendors have worked on this.
With that said, it appears Microsoft has resurrected an NPS team (for this, we assume, and possibly some other reasons).
IT management companies and CSIRT teams have had varying responses to the news (and the suggestion that someone could just plug an RPi into a network port somewhere), from “Ahh, ok, we need to upgrade everything, thanks!” to “Uhhhh, I suppose that could be possible”.
Expect Blast! to go public in mid- to late-May as scheduled.
OpenRoaming
IEEE P802.11bh discussion at WBA Interop WG about MAC randomisation
advance notice for everyone in eduroam land that the IEEE is looking at MAC randomisation again since the last time (ca. 2011)
Apple has indicated that they will go further this time, potentially to new MAC every 24 hours (as originally done in the iOS 14 beta)
eduroam should be aware that this will affect statistics, and it resurrects the suggestion that CUI should probably be used where possible
Suggestion made (jokingly?) that maybe Alan D should prod the MS NPS team to add CUI support to NPS as a feature
AOB / next VC
23 Apr 2024, 1530 CEST