Chris Phillips (CANARIE) - colliding meeting, may want to recognize the geteduroam cert story/delta between CAT/geteduroam behaviour acknoledged on the slack channel
Welcome / Agenda Bashing
geteduroam/CAT certificate handling differences?
geteduroam: "If the CA does not contain a CN, the import fails. " (iOS version only) -> bugfix in the making, available soon in testflight
case in point: GoDaddy CA: C = US, O = “The Go Daddy Group, Inc.”, OU = Go Daddy Class 2 Certification Authority
radius_cap from Janfred could detect these situations with a small feature update. Is in the backlog.
There are some samples in other people’s logs, like “Malformed EAP Message: EAP packet has invalid length (less than 4 bytes)”
At least one MAC address suffering from this is from Huawei. (first auth successful, subsequent ones fail)
EAP-FIDO updates
packet flow for authentication phase
How to do onboarding/registration?
Stefan presented the packet workflow for auth
X.509 cert / PKIX for server auth is a pity, but probably unavoidable
especially when registration is done on the web: needs TLS context for the web registration
next steps: try to implement, present at IETF
interesting lead: Simon Rozman (who implemented GEANTlink).
–> If IETF doesn’t raise red flags conceptually, could be an option to get a Windows implementation (maybe code to include in geteduroam)
Recurring: Passpoint hardware and onboarding chit-chat
How big is OpenRoaming really? Difficult to judge. Anecdotal evidence from London / Japan / airports. “More than 7000 hotspots” as per website (which may not be much if this counts individual APs rather than locations).
Let’s ask WBA PMO if these are locations or individual APs. Stefan @JISC to ask.