eduroam Development VC 2016-09-06, 1530 CEST
Attendance:
  1.     Stefan Winter, RESTENA
  1.      Miroslav MIlinovic, Srce/CARNet
  1.      Zenon Mousmoulas, GRNET
  1.      Philippe Hanset, Anyroam (US)
  1.      Žilvinas Vaira, LT
  1.      Tomasz Wolniewicz, UMK (PL)
  1.      Maja Gorecka-Wolniewicz, UMK (PL)
  1.      Alan Buxey, JISC (UK)
  1.      Brook Schofield, GÉANT
  1. Juha Hopia/FUNET (FI)
  1. ..Mystery Twilio User via Phone +18658507500 <-- who is this? ...or is it someone doing their audio via phone?
  1. Chris Phillips / CANARIE (Canada)
  1. Louis Twomey, HEAnet
Apologies:
    Mike Zawacki, Internet2
    
Agenda:
    
    1. Welcome, Attendance, Agenda Bashing
    2. Silverbullet: User PKI - CA thoughts before prototype
    3. Silverbullet: FreeRADIUS EAP termination server
    4. Silverbullet: Admin UI update
    5. AOB
    6. Next VC
    
    Minutes:
        
    2. NameConstraints: DNS name constraints buggy in OpenSSL before 1.0.1l  release. CAT also produces false alerts, so an update to 1.0.1l+ would make sense. email name constraints not affected -> no issue here. Specifically affected by this: EAP server certifiicates anchored to HARICA Root CA 2011.
    revocation: bind to max number of MAC addresses; and certs can also be revoked (one cert aor all at the same time)
    Test Suite for clients: how do they behave with SB credentials, expired and recovked credentials? -> EAPlab has one-day passes which are very useful for testing the expiry
    2a. mobileconfig: when client cert expires, so does the entire profile
    2b: user support. IDea: the one-time signup token can perpetually be a status page for specific credentials. Auto-status page even: use clientcert for login to web page (There could be a separate token for user support page, where user is asked to authenticate over identity provider. This way user id could be associated with the silverbullet user)
    mobileconfig feature "The “Security” and “Automatically Remove Profile” options allow you to define when the profile can be removed. By default, the profile can be removed by anyone. You can configure the profile so that it can never be removed or require a password to be removed, or have it automatically expire on a certain date or after a limited time period. These settings are intended for larger organizations to lock down their devices, but they can be used by anyone."
    
    Expiring certs at different times per devices may breed a support challenge that would need an approach to address the challenge (position/how things are managed etc) Admin UI should allow admin to have expiry date only per user - not per credential
    
    How do users know why their device no longer connects? what information can be provided?
    
    Chris - user friendliness approach....have a web site that asks for their cert to give help/advice.
    others think this is good idea of server can have normal CA cert - Stefan, Alan (others?)
    
    
    do apple apps have access to the certificate store?
    
    what about Android? :)
    
    3. one CA per NRO is probably better
    so the auth realm needs to be very well defined per NRO
    
    4. admin UI is progressing. Zilvinas will send screenshot to the list. Will change expiry date selector to be per-user.
        
    6. 01 nov is a public holiday in many countries in Europe (All Saints)
        15 nov Stefan is in Korea (South :-) ) for the next IETF meeting. As always, feel free to meet and produce minutes
        29 nov back to normal
  • No labels