Meeting Minutes
=============
Attendance:
Stefan Winter (RESTENA)
Brook Schofield (GÉANT)
Paul Dekkers (SURFnet)
Tomasz W.
Žilvinas Vaira (LITNET)
Marko (AMRES)
Maja G-W
Louis & Janusz (HEAnet)
Zenon Mousmoulas (GRNET)
Jorn (UNINETT)
Arthur Petrosyan (ASNET-AM, Armenia)
Juha (Funet)
Miroslav Milinovic (SRCE)
Apologies:
Dubravko Penezic (SRCE)
1. Welcome
1.1 Agenda bashing
1.2 Minute Taker (incl. attendance record)
https://etherpad.net/p/GN4-2_JRA3_T4_VC_on_24_May_2016
1.3 Work Organisation: open mailing list, open VC, open minutes
2. Round-table introduction
please state name, affiliation, your eduroam background, and areas
of interest in this task
3. Initial discussion about the sub-tasks
3.1 "eduroam-as-a-service" IdP/SP
3.1.1 IdP
- Use the existing GÉANT identity service?
http://www.geant.org/Services/Trust_identity_and_security/Pages/TCS.aspx
... but that doesn't give us an installable profile, right
(.mobileconfig or .exe)
Correct, but it does give us an certificate, which makes our work
easier nevertheless. A certificate must be embedded in an installer anyway
So creating one (or self-signing) is easier I guess. (I did the CA
part of letsradsec, that's really trivial - and in the IdP case we don't
need to use an existing CA for anything - though it's almost easier to
use eduPKI's API or something - existing CAs have rules to play with)
Development isn't the problem, but if we're not a CA ourselves we
have less keys to keep secret. Rules the CA has are something to consider.
We can run this in an HSM
There are institutions without SAML-endpoint, which is required for
TCS. TCS may be too much for such cases, prompting the need for a local
CA anyway.
Looking sideways: is there a SAML-as-a-service?
In the Netherlands, SurfConext had a guest service, but it's not
needed anymore (actually replaced by onegini and social accounts, but
enriched with attributes if need be). Microsoft offers SAML in ADFS
(also hosted in their Office365). In Norway we have Feide Hotel and
Dataporten as solutions for institutions without their own IdP (the
latter is OAuth2, not SAML)
TCS has a global (well-known) root CA, this makes it complex to only
trust the correct certificates. Dedicated CA FTW! :+1:
ACT: jornane: write something about pro's/cons.
Tomasz suggests to look into eaplab (that provisions
client-certificates as well) https://eaplab.supplicants.net
- Zenon suggested that GRNET would be able to work with HARICA
(Hellenic Academic Research Institutions CA), a well established CA
accepted by Mozilla and most browsers, OS vendors etc, in order to
create and run a dedicated EAP-TLS sub-CA that would integrate
specifically with this service. This could work at low cost and could be
a viable alternative to TCS and a self-run CA.
- What about the Japanese Online Sign up System and a Client
Certificate Issuing System? Can it be used for our project?
The Japanese have 2 systems - run by different groups.
- Some of our larger institutions seem interested in a similar
service. Keep possibility open to run Silver Bullet IdP solution at NRO-
or institution-level for the larger customers?
3.1.2 SP
- Local Docker machine? (mail Stefan)
- Should we also have chef, puppet, salt, ansible scripts for
the deployment of FreeRADIUS, RADSecProxy or other tools to make sure
people get it right?
- The more we make, the more we have to support. On the other hand,
I think it's bad to only support one option.
- Update policy (responsibilities, education)
Why not run one big RADIUS at the NREN? (OR prepare an image in
Azure or AWS or something) Apparently this is the kind of institution
that doesn't want to run stuff on their campus. (If they don't know
FreeRADIUS or radsecproxy or letsradsec, they don't know docker. Maybe
they know how to deploy an OVF.) If they want to run our Docker/Puppet/…
anyway, they're going to ask a lot of questions about it. One big RADIUS
for those that can't run it themselves sounds good.
There are subtle issues to consider regarding operation and
maintenace of such a system (sysadmin tasks). Puppet etc. are typically
tightly integrated with particular infrastructures; such a module would
reallistically be quite generic, so it would be more likely to provide
building blocks rather than a plug-and-play solution. Ansible might be a
bit more flexible in this respect, in the sense that it could run
"standalone". Docker might be more plug-and-play but it is not clear how
maintaining a particular instance would work out (updates vs. starting
fresh).
3.2 user self-support enhancements
3.2.1 for admins
3.2.2 for end users
3.2.3 RIPE Atlas API for WLAN measurements
RIPE Atlas have development, test and production infrastructure.
Dev infrastructure is not public.
Test infrastructure is at https://weir-test.atlas.ripe.net/ (it uses
a private cert - sorry about that)
We have 4 test WLAN enabled probes at:
https://weir-test.atlas.ripe.net/probes/200/
https://weir-test.atlas.ripe.net/probes/202/
https://weir-test.atlas.ripe.net/probes/203/ (has wifi firmware)
https://weir-test.atlas.ripe.net/probes/204/
Production infrastrucutre is at http://atlas.ripe.net/
3.3 CAT improvements
3.4 letsRadsec
there is a PoC running that everybody is invited to try,
instructions via https://wiki.letsradsec.org/
it's very usable for IdP's, proxy servers need to get an EAP
certificate to issue one, alternatives are being considered (and listed
in the FAQ)
Paul sent around a questionnaire on (lets)RadSec recently, results
will be presented at TNC - everybody (that knows about RadSec) is
invited to enter the questionnaire https://survey.letsradsec.org/may2016
goal is to be RFC compliant and more secure with our dedicated CA
3.5 Current Development Efforts and locations
* eduroam CAT - SVN - ...
* eduroam-configurator (CAT UI)
https://github.com/uninett/eduroam-configurator
* radsecproxy - SVN/Git - something hosted by UNINETT/NORDUnet
* DJNRO - https://github.com/grnet/djnro
* LetsRADSEC - ?
* EAPLab / SENSE - https://eaplab.supplicants.net
3.6 Development Wishlist
* mainline support for eapol_test flag -O to be available in
wpa_supplicant to allow the export of a certificate during
authentication (for on-disk comparison or use in reporting within RIPE
Atlas)
* eVA open including the automated bundling of certificates for per
device accounts
4. Change of mailing list address
please subscribe to development@lists.geant.org
https://lists.eduroam.org/sympa/subscribe/development
"This list is for discussion of development of new technical features in
eduroam on a global level; everybody world-wide who wants to advance
eduroam technology to new heights is welcome to subscribe and discuss.
This mailing list is moderated in the sense that off-topic posts are not
tolerated; in particular simple technical questions on an operational
level do not have a space here."
From my international announcement:
In the next few weeks, I will move all GEANT GN4-2 JRA3-T4 discussions
to that list so that everything is happening in the open. The traffic so
far on our closed ML which I installed in the interim (01 May to today)
is very light yet anyway; I'll replay the messages to the new list once
there's a significant subscriber base.
5. AOB / Next VC
Many subscribers from the US have already joined development@; less so
from Asia -> meeting in European afternoons would accomodate most
current subscribers. Frequency is in the beginning every 2 weeks, Stefan
will send out a Foodl soon.
Overview
Content Tools
Tasks