The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[IAM David Bantz <db AT alaska.edu>]

I found the language below at https://www.eduroam.org/wp-content/uploads/2016/05/GN3-12-192_eduroam-policy-service-definition_ver28_26072012.pdf
but I did not find corresponding language in the U.S. eduroam documents.

6.2.2 eduroam Security Requirements
The basic security principle that governs the eduroam infrastructure is:
The security of the user credentials MUST be preserved when travelling through the infrastructure, and all partners providing the service MUST observe privacy regulations.
The relevant technical details are listed in the next section.
The following requirements apply:
All eduroam participants (OT, confederation members, connected institutions in federations) MUST:
  Always provide trustworthy and secure transport of all private authentication credentials (i.e. passwords) that are traversing the eduroam infrastructure.
  Ensure that user credentials stay securely encrypted end-to-end between the user’s personal device and the identity provider when traversing the eduroam infrastructure. A rationale for this requirement can be found in Appendix A.
  Ensure that eduroam servers and services are maintained according to the specified best practices for server build, configuration and security, with the purpose of maintaining a generally high level of security, and thereby trust in the eduroam Confederation.
An additional task for Confederation members is to ensure that the participating institutions are fully aware of their responsibility to establish an appropriate level of security. 
..        
Appendix A: End-to-end Encryption of User Credentials
This ensures that no intermediate party, be it an eduroam infrastructure operator or external parties, can steal the digital identity of an eduroam user. This enables the eduroam service to make an important assertion: using eduroam never exposes the credentials to anyone in the infrastructure except the home institution, which makes sure that the confederation infrastructure operators are neither responsible nor liable for password theft.
Since no AAA infrastructure available today provides end-to-end encryption in itself, end-to-end security has to be established by the two ends of the authentication chain: the end-user device (notebook, PDA, smartphone, tablet, etc.) and the home authentication server. This is achieved by using mutual-authentication protocols such as EAP-TTLS, PEAP or EAP-TLS. Most notably, authentication methods in use by web-redirect portals such as PAP do NOT provide end-to-end security. 

 

> On Nov 5, 2018, at 12:59, Tomasz Wolniewicz <twoln AT umk.pl> wrote:
>
> advertising an insecure configuration violates eduroam policy, that requires that all partners provide secure end-end authentication methods