eduroam development VC, 10 apr 2018, 1530 CEST
===========
Attendees
-------
Stefan Winter, RESTENA
Ingimar Jonsson, RHnet Iceland
Gareth Ayres,
Zenon Mousmoulas, GRNET
Tsotne Gozalishvili, GRENA
Reimer Karlsen-Masur, DFN-CERT Services GmbH, eduPKI
Apologies
-------
Miroslav Milinovic, SRCE
Chris Phillips, CANARIE
Agenda / Proceedings
-------
1. Welcome, agenda bashing
2. CAT 2.0 alpha2
https://cat-test.eduroam.org/RC/
* Admin API to be redone from scratch, in order to support managed IdP as well; thus no such API shall be available currently (alpha2)
3. Managed IdP alpha2
https://cat-pilot.eduroam.org/test/
4. Apple and MD5 self-signed CA certificates
Apple decided to dis-trust root CAs with a self-signed MD5 certificate. IdPs using such root CAs will have problems with failed authentications because clients will not trust the chain any more. IdPs with a correspinding CA in CAT will be notified by eduroam OT.
No trace in the Changelog on why that happened, or whether SHA1 will also be affected.
eduPKI has a SHA1 self-sig, but is used only in server-to-server contexts, so not affected by any Apple changes.
6. Elliptic Curve Cryptography in server, CA and client certs
(but not in Windows 7 :-/ )
IETF advice is to move to ECDSA keys for size of EAP exchanges: certs typically fit into one packet, no MTU issues, no extraneous roundtrips i.e. shorter auth times.
Good - but Windows 7 at least does not seem to support this, and we have to care about Win7 until its EOL. 2020.
FreeRADIUS 4 will have auto-negotiation: load RSA and ECDSA cert into server - if client indicates support for EC, server will send EC cert; if not, will send RSA.
5. Enabling PMF is a good idea: they can be set to "supported, but not required" which will allow old clients to still connect (that's mostly 11g and older). It also improves the overall network security, at no particular cost. Everyone's invited to try this out on their networks. There is a compat issue with 11r (Fast Transitioning) and PMFs being turned on smultaneously on Cisco gear, but that doesn't seem to be very relevant in todays' deployments.
7. Users with insecure configs
8. IdPs with insecure config instructions
There is some research going on regarding what percentage of users who have configured eduroam correctly (or not); and what percentage of IdPs provide insecure configuration instructions. eduroam OT will contact NROs/IdPs in question and ask to remedy the situation.
9. a contingency plan for letsradsec
eduroam CAT already has an authentication and authorisation scheme for NRO admins: we know who you are. So eduroam CAT could allow NRO admins to upload CSRs which would be automatically approved. To be investigated.
10. AOB / next VC
15 may 2018, 1530 CEST