- Created by Stefan Winter on Jan 10, 2017
eduroam Development VC 2016-09-06, 1530 CEST
Attendance:
Stefan Winter, RESTENA
Jørn Åne, UNINETT
Žilvinas Vaira, LITNET (Klaipeda University)
Reimer Karlsen-Masur (eduPKI)
Maja Górecka-Wolniewicz, PSNC
Mike Zawacki, Internet2
Arthur Petrosyan (ASNET-AM)
Ingimar Örn Jónsson (RHnet - Uni. Iceland)
Marko Eremija, AMRES
MIroslav Milinovic, Srce
Pedro Simões, FCCN
Zenon Mousmoulas, GRNET (had to leave a bit earlier)
Brook Schofield, GÉANT
Tomasz Wolniewicz, PSNC
Apologies:
Alan Buxey, JISC
Gareth Ayres, Swansea University
Philippe Hanset (AnyRoam)
Louis Twomey, HEAnet
Janos Mohacsi, NIIF
Juha Hopia, Funet
Agenda:
1. Welcome, Attendance, Agenda Bashing
2. Status updates Silver Bullet
3. GEANTLink (TTLS-PAP supplicant)
4. eduroam CAT Android app
5. AOB
6. Next VC
Status Updates Silver Bullet
============
code-side
-------------------------------
The CAT code on GitHub has undergone significant cleanup and re-factoring. In terms of Silverbullet, there is now a class inheritance from "EntityWithDBProiperties" to "AbstractProfile" to ProfileRADIUS / ProfileSilverbullet. Many of the current uses of the ancient "Profile" class actually only need methods which are now on AbstractProfile level - needing no change no matter which concrete instantiated class they work with.
federation-admin-side
-------------------------------
Federation admin UI has received a new configuration option "Max Users" -> Screenshot in mail. There is also a default value in global config; of course fed-level option takes precedence and can thus override the global default
inst-admin-side
----------------------
Admin UI displays Silverbullet in a special way -> Screenshot in mail. Once SB is configured, the normal RADIUS/EAP profiles become unavailable. In analogy, once a CAT inst has a RADIUS/EAP profile, it can only add more RADIUS/EAP profiles; SB becomes unavailable.
Subject to discussion: this implies that transitioning away from SB to normal RADIUS is a flag-day switch; insts won't be able to prepare installers for RADIUS profiles until they deactivated their SB profile. This is a slight inconvenience (how slight is it?) However, the alternative is to allow co-existence of SB and RADIUS in parallel, effectively giving every single CAT admin instant access to a "guest users" facility. Considering that we planned to be cautious regarding guest users (and the geographical validity scope of such) this sounds a bit dangerous.
PH apologises but notes:
"
Yes, we have to be careful with guest access (guest access should be strictly limited to institution nowhere else),
but we also want institutions to be able to test SB while they are on classic CAT and reversely.
Could we have a double flag: Production VS Testing. Two cannot be in production at the same time!
This would still enable (ab)using the feature in the same way, just more subtle: a not prod-ready RADIUS profile still enables the admin to download installers for him/her self. The "workaround" (or call it "exploit") for inst admins would be to have a RADIUS profile, download the isntallers and put them on their own support website; while keeping the SB profile on production. They would then still have two user bases available.
Is it such a big deal to have exclusivity between SB and RADIUS profiles? Transition could be done by inviting admin as a "second IdP" let him do the settings and de-provision the old one when the time comes.
This question is subordiante to the question: what about guest accounts in the first place; should they be local, regional, national, word-wide? If they are okay world-wide - we can easily drop the exclusivity requirement. If not, further work is needed (i.e. code to support scoping).
SW to remind Miro to put this on the agenda of the next SG meeting.
The button "Manage Users" does not lead anywhere yet; this is the starting point for Zilvinas' work.
(Hm, I am offline in LifeSize right now??? Am I the only one? )
Silverbullet Client Cert CA
-----------------------------------
SW has yet to write an architectural overview over the planned CA structure.
client cert provisioning
-------------------------------
Initial plan foresees server-side generation of credentials on-the-fly. Jørn Åne presents a different option using a client-cert variant of the ACME protocol (see this presentation as attached to his mail from 06 Sep 2016).
Jørn would like to work on a prototype in parallel to the normal SB work (but this would not block further development of SB with server-side generated certs as this has a smaller time-to-market). He needs an API call to identify a profile by its realm (easy), and needs client support for the ACME protocol. Probably talking to Gareth Ayres is a good first step as he already has the Android app and knows about Android specialities.
Config spec would need to include "URL to the ACME server". He will also need to write his own ACME server; to bind user IDs to certificates, they would need to share a database for the link between the two.
GEANTLink (TTLS-PAP supplicant)
===========================
Product is reaching beta status in 3...2...1...0! https://github.com/Amebis/GEANTLink/tree/1.0-beta, binary release at https://github.com/Amebis/GEANTLink-dist/tree/1.0-beta . TW is seeking volunteers for testing, both in local eduroam setups (using cat-test.eduroam.org) and with EAPLab. TW is available for instructions regarding use of EAPLab for this purpose. TW noted that making the beta release available on EAPLab is somewhat violating the intentof EAPLab: it is in production - and delivers beta code. However the betaness is limited to those few Windows platforms and that is probably okay.
SW noted that GEANTLink is subject to a security audit (source code review). This review is initiated as soon as beta is tagged i.e. right after the VC. The beta is only available in Slovenian and English at this point; translations can start soon, SW will notify cat-devel list.
Q was what to do if the 1st of October comes and sec audit / 1.0 release is not quite ready yet? MM stated to release 1.1.3 with the CAT-side code ready, updating the binary as hotfix release when it is ready.
eduroam CAT Android app
=====================
The main developer, Gareth Ayres, can't join the call today but has the following update:
"
I have nearly finished moving the code to github so it can go public.
I have been cleaning the project structure up so a new user can simply check out the app in android studio and run it."
SW adds that the URL to the repository will be (as soon as the switch to public is done):
Brook made the repo public during the call. Thank you!
AOB
====
We should try something that is more NREN-developed for the VCs instead, like https://rendez-vous.renater.fr/
SW will send an invite to Rendez-Vous for the next VC (with a fallback to LifeSize if it does not perform well)
Is there a mobile version of Rendez-Vous? There is a mobile client for LifeSize (at least on iPhone).
Doesn't the web version work?
At least I have tried it under Chrome/Android and it worked. Firefox variant under Android should work too.
So it is Browser based anyway because it's WebRTC-based solution.
Next VC
======
Scheduled: 20 Sep 2016, 1530 CEST
Attendance:
Stefan Winter, RESTENA
Gareth Ayres - Swansea University / Android Dev
Pedro Simões - FCCN
Miroslav Milinovic - Srce
Arthur Petrosyan (ASNET-AM)
- No labels