eduroam Development VC 2017-03-07, 1530 CET
Attendance
----------------
  1. Stefan Winter, RESTENA
  1. Arthur Petrosyan, ASNET-AM
  1. Mike Zawacki, Internet2
  1. Jørn Åne, UNINETT
  1. Brook Schofield, GÉANT
  1. Zenon Mousmoulas, GRNET
  1. Edward Wincott, JISC
  1. Philippe Hanset, ANYROAM
  1. Marko, AMRES
  1. Maja G-W, 
  1. Tomasz Wolniewicz
  1. Reimer, DFN
  1. Temur + Colleague, GRENA
  1. Pedro Simões , FCCN
  1. Žilvinas Vaira (LITNET)
  1. Alan Buxey, JISC/Lboro
Apologies
--------------
None
Agenda
-----------
1. Welcome /Agenda Bashing
2. Raiders of the Lost Minutes
    Philippe to investigate the business model of Managed IdP; for example, client cert based IdP management seems to sell for about 1 USD per user per year for *large* organisations
    CloudPath acquired yet again, now with : Ariss?
    ARRIS  (www.arris.com)
3. FreeRADIUS OCSP and session caching
FreeRADIUS validates a client certificate only if there is no TLS session cache entry from a previous authentication
The TLS session cache lifetime gets reset to 0 after every successful reauth
->  a user who re-authenticates with TLS session cache / session resumption before caches run out has a "perpetual" account.
That's a rather unexpected behaviour and everybody using EAP-TLS should take a close look.
4. eduroam Managed IdP: 
   * external testing launch imminent
   https://cat-pilot.eduroam.org
   
   https://wiki.geant.org/pages/viewpage.action?pageId=66650390
   
   NROs: Chapter 5 to enable the feature
   IdPs: Chapter 6 to actually use the feature
   
   API needs addition to pre-provision Managed IdP profiles (it already allows pre-provisioning RADIUS profiles in CAT 1.1).
   Download button should be protected by a checkbox "I have read and agree to the terms and conditions".
'existing IDP' list for admin purpose should be ordered in some way - alphabetically preferably (added to the GitHub feature request)
Please report bugs/feature requests via GitHub https://github.com/GEANT/CAT/labels/Managed%20IdP%20Pilot 
Discussion on CA post-pilot:
    - some say having the end user wait for approx. 2 minutes during the download phase is acceptable, others not
    - DFN-CERT would only be able to work against these 2-3 minutes; no real-time
    - What is the risk of... not using a HSM at all? Current system good enough?
    Basic attitude seems to be that for "just internet" access of individual accounts, the system could just be good enough (provided that entropy is improved with haveged service on the machine)
    If that is the case, no changes necessary - but other service in GEANT (JRA3-T1)
    
    would HSM fix the situation/user experience?
    entropy increase using haveged - http://www.issihosts.com/haveged/downloads.html (rpm/apt-get etc packages available for most distros)
    
    http://www.issihosts.com/haveged/
    https://wiki.archlinux.org/index.php/Haveged
     
     PS eg on Linux - cat /proc/sys/kernel/random/entropy_avail - if less than 1k then problem.
     
    https://www.vaultproject.io/ <-- for storage of secrets
    midday CET on Thursday is the Campus IdP meeting.

5. Self-service end user debugging - first thoughts
6. next VC date
    as per plan: 21 mar 2017 1530 CET
  • No labels