eduroam Development VC Minutes 2024-01-30 1530 CET

Attendance

Attendees

• Stefan Winter (Restena)
• Stefan Paetow (Jisc)
• Philippe Van Hecke (BELNET)
• Tomasz Wolniewicz (PSNC)
• Louis Twomey (HEAnet)
• Zbigniew Ołtuszyk (PSNC)
• Mike Zawacki (Internet2)
• chris phillips (CANARIE)
• Zenon Mousmoulas (GRNET)
• Christian Rohrer (Switch)
• Alan DeKok (FreeRADIUS)
• Ed Wincott (Jisc)
• Anders Nilsson (SUNET) a bit late.

Regrets

• Janfred Rieckers (DFN)
• Maja Gorecka-Wolniewicz (PSNC)

Agenda / Proceedings

1. Welcome / Agenda Bashing

2. CAT dynamic discovery checks

   • currently reporting incorrect results since underlying OS updates (openssl 1->3)
   • rewrite of the checks ongoing (changing from parsing openssl s_client prose towards “sslscan”)

3. App delivery in the Apple ecosystem

   • “New Terms” - and New isn’t always Better
   • https://twitter.com/t3dotgg/status/1750629906697081328
   • https://www.apple.com/newsroom/2024/01/apple-announces-changes-to-ios-safari-and-the-app-store-in-the-european-union/#:~:text=Core Technology Fee — iOS apps,over a 1 million threshold.
   • https://developer.apple.com/support/fee-calculator-for-apps-in-the-eu/
   • New Terms may introduce a cost per install (beyond thresholds we are quite plausibly able to reach
   • Option to stay with the Old Terms, with no cost per install but stick with Apple-exclusive distribution
   • Only relevant within EU
   • observation: geteduroam.app is not developed with EU funding, so it may be arms length.
     • suggestion to bring topic to GeGC / GÉANT awareness and add to some risk registry somewhere to track
     • Chris P to bring to GeGC and ask the question there.

4. 90 day certs: updates?

   • https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/
   • Do we know how many/share of insts use commercial CAs for their EAP servers?
   • Is the change (becoming) “official”? I.e. vote in CA/B Forum? Announcement from Google that they confirmed do it anyway? Early canary build with this included? No visible/tangible changes to Chrome seen.
   • For completeness sake: ACME works even when server does not have internet connectivity or an open HTTP/S port: dns-01 validation can be automated.
   • cert renewals are going to be frequent and complicated; possibly driving more admins to as-a-service solutions
   • documentation can help; not much more can be done
   • scripting on FreeRADIUS possible to some extent…? Like, LetsEncrypt support included in the distribution; if you really want a commercial cert - run that script regularly and you’re good. Alan to investigate if this can be done

5. IETF / EAP-FIDO updates

   • RADIUS/TLS changes are substantial and needs to be cross-checked
   • Deprecating UDP mostly done
   • next up: RADIUS/1.1

6. OpenRoaming

   • from eduroam.slack.com, Hideaki Goto, openWRT: https://github.com/hgot07/openwrt-passpoint

7. AOB / next VC

   • 13 Feb 2024, 1530 CET