Friday June 16, 11am-12:30pm ET
Saira Hasnain - UF
Amel Caldwell – University of Washington
Brett Bieber - Nebraska
Jeremy Livingston - Stevens
Brett Bieber - University of Nebraska
Rob Gorrell - UNC Greensboro
Jeff Egly - UETN
Nadim El-Khoury - Springfield College
Mike Dickson - UMass Amherst
- Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework
- Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
- Agenda bash
- Approval of last meeting’s minutes
- Saira: Motions to approve, MikeD & Jeff Second.
- Trip report from TNC23 and Mobility Day
- Sara, Josh, Mike
- Sara: A couple major highlights for eduroam. One was the eduroam track with Alan DeKok’s proposed updates to RADIUS standard. Paul Dekkers presentation on new features & functionality for geteduroam app, and MikeZ and I presented on eSO program. Biggest takeaway for me was that the way most NROs talk about eduroam is more network-centric, where in the US we look at it more as a gateway to connectivity. Also had a conversation with Klaas Wierenga (CTO for GEANT) about trademarks and branding for eduroam, esp with increase of eSO deployments.
- Josh: Mobility Day included a presentation on a new EAP type - EAP-FIDO, which is similar to cert based authentication but few of the drawbacks. Still several years off, but promising. Also had a discussion at the end of Mobility Day regarding the CAB forum’s stance on many certificate lifecycles being reduced to 90 days. Questions from our community around how to deal with that - could push more automation of cert renewal or could push back on a policy level. Also looking into creating a CA to work around this
- Sara: With regard to creation of a new CA, could be something for this committee to track.
- Josh: If automation is pursued as a fix we’d need to consider vendor and infrastructure impacts.
- Sara: There are changes incoming at the beginning of September, but the 90 day expiration is further out.
- Brett: Really interested in EAP-FIDO. Could be transformative.
- Josh: Agree. Being able to remove certs (partly or completely) would address a number of issues, particularly with the upcoming 90 day cert lifetime.
- Brett: Looking at how EAP-FIDO and geteduroam could change the landscape,
- Link to Mobility Day wiki page (includes slide decks from all presentations)
- Link to Alan DeKok’s presentation
- Recording of the eduroam sessions https://tnc23.geant.org/recordings/?session=s255
- Follow-up on Josh’s EAP findings, input on next step
- Sara, Josh, Mike
- Update on RADIUS 1.1 - Rob
- Please see Brett Bieber’s email to the committee sent on Monday, June 12
- Rob: CACTI was looking for some guidance on how/if to respond to new standard. Questions and concerns around privacy and location sharing. Reflects ongoing conversations in this group WRT Best Practices Guide update, ensuring that users and infrastructure are configured to preserve privacy
- Josh: Margaret’s email mentioned practices that could breach user privacy. Most of these are addressed as part of the eduroam Best Practices Guide. But those are just that - best practices. Absent requirements some community members will not adhere to these practices, especially if there are cost implications. Issue that Margaret raises that hasn’t been discussed yet is the emission of the operator name attribute by SPs. Just their realm, but still potentially problematic. That attribute is needed to generate the CUI (chargeable user identity) attribute, though. If we stop using explicit user name and operator name then we lose all identification of users. We should be encouraging SPs to send operator name to preserve the ability to generate CUI.
- Rob: Also some discussion of moving away from RADIUS over UDP.
- Josh: Yes, there’s a short term picture of the above issues around CUI/Operator name and the long term move toward using RADIUS over TLS. That will be a much longer term project that will take many years
- Brett: Margaret had asked if we should develop an informational document for the eduroam US community. Think that makes sense, especially as we look toward more K12 deployments. Could be an action item for this committee. The other part I was thinking about was states where there are additional student privacy requirements - should we be more proactive in addressing those concerns? Is there expertise in the community that could help with that?
- Rob: Agree. It’s a two part discussion - make sure we have the right recommendations in the BPG and the second part is addressing the reluctance to adhere to those practices. Do we need to look at requirements? Is there a topic here that fits into Baseline Expectations (BE)?
- Sara: How much of the BPG could be enforced client side vs. enforcing via BE? COnsider impacts if most of the devices being used are private devices vs managed devices
- MikeD: Our efforts to communicate with end users don’t always work until we reach out personally to them. It would make sense to reach out to eduroam admins with info in reports on user behavior (e.g. who’s releasing a username@realm outer identity, etc). Users often just see eudroam SSID, connect, and go about their business. Often find ourselves at the mercy of vulnerable, poorly configured user devices.
- Brett: Wonder if we could also monitor at the TLRS level. All of this speaks to the effort level of a BE initiative. Feel like we’d need to do a lot of education of our community before imposing requirements. Can we get detailed reports around the items Margaret and Josh have pointed out?
- Sara: That kind of what I was poking at. Community’s approach to the technology in federation and eduroam are very different. In eduroam we’re more talking through industry/tech standards that would be changed, less community driven. So there are parallels to the work of InCommon BE and eduroam BE (need for communication and education of community) but the driving force is different. In eduroam we’re responding to changes in the technical environment.
- Rob: Consider that a lot of the changes discussed are years out. Different approach needed for issues that are shorter term, here and now. Thinking of lack of adoption of BPG, things that could be done today
- Brett: There’s a requirement for engagement with the community - many set up eduroam and then forget about it. Need to generate the willingness to change approaches, comply more with BPG. Would like to have this committee respond to Margaret. What do folks think next steps would be?
- Jeff: I’m thinking through how to educate community. We just held a technical summit with our community and topics along this line came up. So thinking about what the eAC can do to drive adoption of BPG. With my eSO hat on thinking through how we can do that for our constituent community.
- Nadim: I would like to second the importance of user and admin education. Also thinking about having hands-on, office hour type sessions for the community demonstrating best practices, explaining the importance of them. BE efforts start with the admins and empowers them to reach out to their users.
- Rob: Maybe the trick here is to align the monthly report better with best practice indicators as a means to communicate and inform site admins, not just of their stats, but their sites alignment to best practices. Pie chart to include in the report potentially... What percentage of an IDP's authentications are anonymized outer identity?
- MikeD: Agree. This would be a start to documenting that institutions are making the effort.
- Brett: Agree with Nadim’s point - maybe look to existing “good practitioners” and ask them to help develop documentation, processes to move toward greater compliance. Rob, can you please reach out to Margaret and outline the above discussion? Also, would suggest we reach out to the eduroam-admin community and ask for their help -identify those who’ve already put BPG into practice, ask for them to help with community education. WRT Rob’s point I’d ask Sara if we can adjust reporting to help with communication to eduroam US community?
- Brett: Suggest we keep this as a standing agenda item.
- Josh: Feel it’s easy to slip into alarmism around privacy. We want to do good work, but there’s a scenario that concerns me around outer identities. Not impossible to imagine that higher placed individuals - politicians, researchers, etc - could be visiting countries, institutions that might not be “friendly”. Wonder if we want to try and remedy situations like that, and how to approach the subject with community. Maybe use things like this scenario as an example in why this work is important, risks of doing nothing.
- Brett: We can look for partners within our communities (security professionals, etc) who can speak to these concerns.
- AI: Rob to communicate with Margaret, sum up discussion here. Brett to draft some communications to community with MikeZ, present to this committee next month
- WG updates
- Transitional Technologies
- MikeD: TLS1.2-1.3 done, ready to publish. WPA3 section nearly baked, some tweaks to make. MSCHAPv2 nearly done.
- MikeD: For Amel, looking at the PMF section could we include alternatives to PMF mode for environments that don’t offer that mode? Even a suggestion to work with your vendor could be helpful. Same with suggestion to avoid 192 bit encryption.
- Amel: Agree with PMF/vendor statement. For 192 alternatives admins to fall back to 128
- For group consideration: Issues with multi-tenancy in cloud offerings for eduroam (MikeD to lead discussion)
- Potential points for discussion
- What is the potential impact of accommodating multitenancy auth queries from vendors seeking to proxy auth queries to the TLRS servers on behalf of multiple customers?
- What are the possible implications for the institution in this framework?
- How would troubleshooting or forensics (user identification) be impacted? Who should the institution call?
- Would the institution or the multitenant vendor be the "eduroam administrator" if RADIUS secrets, configuration, testing etc. is no longer managed by the institution?
- Would the institution's ability to look at their own logs be maintained?
- Are there any privacy or security implications?
- Wireless vendors, wireless onboard services companies and cloud based authentication services may all have interest in doing this. Are there any distinctions?
- How might this impact the financial model?
- What if an institution wishes to switch wireless vendors if their vendor provides eduroam RADIUS proxy on their behalf?
- Discussion from committee members…
- MikeD: So if an institution buys a cloud RADIUS product, that vendor would in theory talk to TLRS. Would we be the eduroam admin? Or would the vendor? Would we log into the eFM or the vendor portal?
- Amel: I had it that the vendor would be the eduroam admin. You would log into vendor portal. That’s been the approach that I’ve heard floated.
- MikeD: One vendor we’ve spoken with had a workaround. Basically a proxy hairpin that re-routes visiting requests between TLRS1&2 and your IdP. Not ideal and only intended as a temporary workaround pending development.
- Amel: I’d prefer to remind the eduroam admin, have access to local RADIUS logs. Haven’t thought through it completely.
- Sara: WRT scoping for this group, I think the broader question is a level up - what challenges are we looking to solve for eduroam subscribers. Vendors are trying to change some elements of traffic routing in response to user preferences. Would be more interested in thinking through what we’re trying to solve and how best to solve them. If there’s divergence between what we need and what vendors are offering we need to let them know and need to adjust our approach to service delivery/development accordingly
- Amel: Feel like if we’re going to move to the cloud we’d want more simplicity, more resilience
- MikeD: Agree. “Putting things in the cloud” is a common approach for a lot of services. Federations complicate that. We’d want to simplify how these cloud services work with federations too.
- Sara: I understand the attractiveness to cloud offerings, but want people to consider the 3-5 year timeline. If we want to endorse one or more vendors we’d want this committee to draw up requirements, help us understand what is needed from vendors AND what’s needed from us in terms of existing architecture and eFM changes that would be needed.
- Brett: There are some pages we could borrow from NET+ and HECVAT playbook around requirements for security and interoperability, as well as framework for engaging with vendors. Maybe seek some guidance from Sean O’Brien, others in I2 T&I in how to handle engagement. Perhaps have them join us in future meetings to present on methodologies that I2 has used in the past.
- Update to Best Practices Guide
- How to incorporate eSO volunteers for K12 feedback?
- MikeZ: Link Oregon has volunteered to participate in this as well. Looking for a way to structure their participation.
- Brett: On next eSO call could raise topic
- OR updates from Saira
- Hold for next meeting
- Support Organizations Update
- Link Oregon
- ConnectEd Nebraska
- Brett: Ongoing engagements with commercial ISPs
- The Sun Corridor Network
- Jeff: Had Tech Summit this week, presented on eduroam2go. Ironically had network issue during presentation will be holding another session to present to broader eduroam community
- NSHE (Nevada) and Washington K20 as On-Rampers are confirmed
- Update on engagement with Cox Cable
- Sara: Cox is reviewing a pilot agreement from I2 legal term. Time bound to 6 months from signature, will review work and lessons learned. Scoped to a few defined geographic areas. Negotiating fee structure, technical aspects, and branding.
- Mini-Mobility Day update (Brett, MikeD)
- Report out from initial program committee meeting
- Next steps for program committee, eAC
- Brett to email update around this group
- Interest in a TechEx working meeting?
- Next meeting - July 7th, 11:00am - 12:30pm ET
- ACAMP registration is open
- Virtual gathering from July 10-14
Info on event, registration info: https://incommon.org/academy/camp-meetings/basecamp/