Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Installers with certificate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Installers with certificate


Chronological Thread 
  • From: Daniele Albrizio <albrizio AT units.it>
  • To: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] Installers with certificate
  • Date: Mon, 26 Nov 2018 09:52:12 +0100
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=units.it; domainkeys=pass (1024-bit key) header.from=albrizio AT units.it header.d=units.it
  • Domainkey-signature: a=rsa-sha1; c=simple; d=units.it; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type; q=dns; s=selector1; b=fWyUMkxBzGMvFWmhiSueB9Tgj4t kyDmgskB/bmEdobJ4m8UD0idHxqZR1eduVqMT8t1fC4guKGMlygIATROkg/K2IPS ZoKqFUTV4UiPxBVs2RHarBp7a26BTkXP8281VnycaPlnDi93u3jXNHh3UM9Gwea2 oLuH6110OHDylelM=

Well, Stefan, I'm interested in this evolution of the eduroam CAT service too.
We have about 23k potentially active eduroam users and we would like to
issue them a one-time (per install) keypair or, if not possible, a long live
pair to avoid easily bad configured clients without server trust validation
(users forcing not to check the server certificate). This should be, as you
can easili figure out, SAML or openid connect authorized.
We do not have internal man power to set up such a solution and neither we
can afford to outsource such a project, so I think a centralized project with
a fairly paid plan could be an affordable solution for us.

Yes, it sounds as a "me too" :)

Daniele

On 26/11/18 08:59, Stefan Winter wrote:
Hello,

We are currently thinking about a larger scale IdP (100k+ Users) that would
use client certificates for authentication.
To distribute those certificates, the CAT installers/profiles would be a good
option (as the v2 Hosted IdP does).

Is there an API call (like 'generateInstaller') that would accept a
certificate .pem to include in the installer?
Or any other ideas to handle this?
The installer would need to have the certificate *and* private key. Our
basic assumption behind CAT (and MIdP) was that we don't want anyone
else's secrets, and expect nobody to want to send them to us anyway; so
uploading a private key is indeed not foreseen.

For eduroam Managed IdP, the communication is unidirectional. Our system
itself generates a private key, and sends it out in the installer
(PIN-protected on the transport leg).

If you really are comfortable with sending us the future users' private
keys(?) then we could probably create an API call to generate
"MIdP-like" installers from that external source. Unfortunately, some
installers require us to know the private key in clear (ChromeOS
encrypts the entire configuration file with the PIN, not just the
private key portion).

Alternatively, if you can live with becoming a Managed IdP user and with
leaving the cert generation to us: the existing API allows an NRO
operator to remote-control all the important aspects of the system down
to the individual user level. That way, you could create those 100K
users in the system, issue 100K invitation URLs, make us send them to
the users via E-Mail or SMS, and have them pick up their eduroam
credentials with that.

I used those API calls extensively during the development phase for
stresstesting (and my tests went up to 1M users).

The only limitation here would be non-technical: the soft limit for user
count in eduroam Managed IdP is going to be 10K users per NRO. More is
certainly possible, but we'd have to discuss some kind of a paid plan
for that bulk usage.

Greetings,

Stefan Winter

--
Daniele ALBRIZIO - daniele.albrizio AT units.it
Tel. +39-040.558.3319
UNIVERSITY OF TRIESTE - Network Services
Unita' di Staff Reti di Ateneo
via Alfonso Valerio, 12 I-34127 Trieste, Italy


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page