- Created by Stefan Winter on Jan 10, 2017
eduroam Development VC 2016-09-20, 1530 CEST
Attendance:
Stefan Winter (SW), RESTENA
Arthur Petrosyan (AP), ASNET-AM
Alan Buxey (AB), UK
Žilvinas Vaira, LITNET (Klaipeda University)
Maja Górecka-Wolniewicz, PSNC
Marko Eremija, AMRES
Temur Maisuradze GRENA
Mike Zawacki - Internet2
Zenon Mousmoulas (ZM), GRNET
Miroslav Milinovic, Srce
Pedro Simões - FCCN
Jørn Åne - UNINETT
Louis Twomey, HEAnet
Gareth Ayres - Swansea University
Apologies:
Juha Hopia, CSC
Reimer Karlsen-Masur, DFN-Cert
yes I2
Chris Phillips /CANARIE (BTW, connected to lifesize or renateur VC -- no one on call @ the time.)
Hideaki Goto, Tohoku University / NII
Agenda:
1. Welcome, Attendance, Agenda Bashing
2. Status updates CAT 1.1.3
3. Ongoing discussion Silver Bullet CA
4. GitHub repo GEANT/RADIUS
5. AOB
6. Next VC
2. CAT 1.1.3: translations until Wednesday, packaging and installation on cat-test.eduroam.org on Thursday, move to prod on 28 Sept unless catastrophic things are reported about cat-test
SW to send notices to development@lists.eduroam.org, eduroam@lists.geant.org, GeGC, and cat-users
There is a small config update to be installed (as IOS 10 is not detected by the OS/browser detector and thus IOS 10 devices are not handled correctly - not given the right option hint...)
3. CA update:
* intermediate CA is the one requiring HSM protection
* root CA can be small hardware, no VM, but with strong entropy -> Raspberry Pi
* crypto parameters shoud be at least SHA-512, 4096 for root and intermediate CA, SHA-256 2048 for client certs (for max compatibility)
* root CA does not do much, but needs to be taken out of safe every once per month or so, so has to be located someplace where operations can touch it
* EAP-pwd would alleviate need for CA completely, but then either server-side needs to maintain a password databse for individual users, or push complexity to end-users (token with OTP) 'google authenticator'
* hardware speed of HSM limits number of certs we can handle; at some point with many certs, we may be maxed out (HW specs of HSM to be determined). There are special OCSP signing certificates to overcome this, but: suggest to cope with this when the time comes
* OCSP downtime response: let user pass. That`s because we do not expect to have extended downtimes with OCSP responder without noticing (there is an operations team supervising all this after all). Nobody disagrees. (currently FreeRADIUS cannot do 'use OCSP and if that fails then do a CRL check' - the CRL check is hardcoded part of EAP-TLS - with FR 4.x this can be changed as each part is likely to be its own virtual server - eg check_ocsp, check_crl - thus you can have unlang policies) check_crl is hardcoded, its not a policy. you want OCSP check, then, if that fails (it doesnt return the required value right now) THEN do check_crl. I chatted to Arran and Alan about this. (ZM: OK, I was just looking at eap.verify.skip_if_ocsp_ok in 3.0.x head config)
* there is currently no usable PKI imlementation of supersingular isogeny diffie-Hellman key exchange, so we will have to do without quantum-resilient cryptography until later in the future.
4. Repo
SW recaps that there will be a GEANT/RADIUS repo with all kinds of config snippets, including the role-model config for IdP-as-a-service, SP-as-a-service etc.
6. SW unavailable on 04 Oct. Feel free to meet, so long as you produce minutes. Back again for the next slot after that one on 18 Oct.
- No labels