eduroam Development VC 2016-08-23, 1530 CEST
Attendance:
Stefan Winter, RESTENA
Reimer Karlsen-Masur, DFN-CERT
Mike Zawacki - Internet2
Juha Hopia, Funet
Hideaki Goto, Tohoku University / NII
Tomasz Wolniewicz, PSNC
Brook Schofield, GÉANT
Alan Buxey, Loughborough University (UK)
Philippe Hanset (ANYROAM/Internet2)
Maja Gorecka-Wolniewicz, PSNC
Miroslav Milinovic, Srce
Scott Armitage, Loughborough University (UK)
Zenon Mousmoulas, GRNET
Žilvinas Vaira, Klaipeda University (LITNET)
Marko Eremija, AMRES
Apologies:
Janusz Ulanowski, HEAnet
Louis Twomey, HEAnet
Ingimar Örn Jónsson, RHnet
Arthur Petrosyan, ASNET-AM
Jørn Åne, UNINETT
Paul Dekkers, SURFnet
Agenda:
1. Welcome, Attendance, Agenda Bashing
2. Status update GitHub
3. Silver Bullet client certificate CA
4. AOB
5. Next VC
2. Status Update GitHub
---------------------------------
move is finished; previous TODO list is now in GitHub's issue tracker; many doc parts are now in MarkDown language directly accessible (and editable) from GitHub website https://github.com/GEANT/CAT/
WTF? "GÉANT Standard Open Source Software Outward Licence" in CAT/LICENSE
Automatically look at problems/issues via: https://codeclimate.com/github/GEANT/CAT/code
https://insight.sensiolabs.com/projects/4d0cd7ef-876f-4918-860e-295ed1e1729e
https://scrutinizer-ci.com/g/GEANT/CAT/ (do we have a full license for this - or is is just a limited 14 day trial thing?) If the LICENCE is a real "open source licence" then it will be extended - but I don't think that the "GÉANT Standard Open Source Software Outward Licence" counts. We should visit http://choosealicense.com/ and pick something. I'd vote for CDDL. but MIT is probably what we want.
Tomasz would appreciate updates to the compatibility list for the Linux Git and Transifex probably work together nicely... to be investigated (SW)
3.
certificate username format: pseudonymousgibberish@opaqueinstid.de.hosted.eduroam.org
Person "Stefan Winter" -> CAT username "catuser123" -> certificate with a hash different from "catuser123" => all PII can be contained with the IdP itself; CAT knows only pseudonyms
OCSP is important but short outages need to be covered (fail open/fail closed policies possible)
uptime of OCSP responders should allow "fail open" (discussion?)
lifetime: probably best strategy is to ask admin to provide end date
send email before expiry so admin can double-check if this is still his wish
CRL vs. OCSP: can CRL be used as a fallback if OCSP is donw? Question of configurability on FreeRADIUS... Alan Buxey to check things out.
OCSP reponses can have a lifetime of 6 days (or so); OCSP signers just need to be fast enough to make a run through all certs in that time (and/or have an outage lasting not longer than that)
"Use it or lose it" for certificates? Not very user-friendly.
Intermediate CA: one enough for a start; thinkable to issue per-NRO intermediate CAs, with a lock-down using nameConstraints (to be verified that FreeRADIUS can actually verify nameConstraints then)
to note: slight privacy problem in that every OCSP responder (and anyone on the IP path) can create an - anonymous - mobility profile of "the eduroam SB userbase" (without being able to identify individual users)
Silver Bullet name has nothing to do with Werewolves (much to disappointment of all attendees )
client installers: should they be protected with a one-time activation token? After long discussion... probably yes. Account sharing otherwise becomes too easy. Note: even with activation token, determined users can share accounts by keeping the token and the corresponding installer.
One way of mitigating: limit usage of credential to one MAC address; have more devices - download more installers!
Overview
Content Tools
Tasks