eduroam Development VC Minutes 2024-02-13 1530 CET
Attendance
Attendees
- Stefan Winter (Restena)
- Stefan Paetow (Jisc)
- Alan DeKok (FreeRADIUS)
- Chris Phillips (CANARIE)
- Paul Dekkers (SURF)
- Mike Zawacki (Internet2)
- Tomasz Wolniewicz (PSNC)
- Guy Halse (TENET)
- Hellen Nakawungu (RENU)
- Christian Rohrer (Switch)
- Ed Wincott (Jisc)
- Louis Twomey (HEAnet)
- Maja Górecka-Wolniewicz (PSNC)
- Halil Adem (GRNET)
- Zenon Mousmoulas (GRNET)
- Janos Mohacsi (KIFÜ)
Regrets
- Philippe Van Hecke (BELNET)
- Ed Kingscote (CANARIE)
Agenda / Proceedings
Welcome / Agenda Bashing
CAT feature requests
- fed admin “read-only mode”, filters on names and DB link: demonstrated
- Q about occassional delays on logging into cat.eduroam.org (looking for feedback on if seen elsewhere) ; likely on monitor.eduroam.org side - best to wait for CoreAAI SSO platform integration
- disallowing self-signed CA+server certificates which do not have the CA:true basicConstraint set
- discussion: PaulD: not necessarily a new problem, top crash reports come from this style of problem
- “least surprise”: find a a way to move admins away without sudden breakage
- introduce UI to warn admins that one of their certs is bogus
- “Your profile will become invalid when you click save! Fix it!” equivalent
are there plans for federations defaults for devices for geteduroam that will assist to complement the per profile setting?
insight plans for geteduroam.app recommendations for apple -->timing?
- https://kb.cert.org/vince/comm/case/1515
- Still in embargo
- Access-Request packets are unsigned (i.e. when there is no Message-Authenticator attribute )
- eduroam is OK - EAP conversations always signed with Message-Authenticator as per protocol definition.
- Organisations with NPS or FreeRADIUS should probably check their RADIUS clients and RADIUS server groups to check that the option ‘Require Message-Authenticator’ is actually ticked. If not, please tick the option.
- May 21 is an interesting day.
Rest of agenda deferred to next time.
IETF / EAP-FIDO updates
OpenRoaming
- crowd-sourced coverage map now available at http://static-openroaming-map.s3-website-us-east-1.amazonaws.com/
AOB / next VC
- 27 Feb 2024, 1530 CET