cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Daniele Albrizio <albrizio AT units.it>
- To: cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Unique device credentials
- Date: Wed, 3 Apr 2019 10:28:03 +0200
- Domainkey-signature: a=rsa-sha1; c=simple; d=units.it; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type; q=dns; s=selector1; b=rJJMiaXfjdVOx/9x8kxsxGKllbM gRNyVWhcZKQntGsFn7u+GIO0QRJzLMP7ewHyaWTnTPJ9CE04tcG+4mZ3GcktlH4W 5CzF4xls35AqINt/P1AEhjDD4FsgGj97BbRkyDVmSeRq6Ta7zHKvRKSWVBVGsVHt rQMrYFQ3ovJ8ZgK8=
On 02/04/19 11:11, Stefan Winter wrote:
Hi,
Why is it only for "small user populations"?We only allow manual user management: add users by entering them
one-by-one or do a CSV import.
We intentionally do not allow connecting to an AD, or SAML. That is
because we don't want to become everybody's RADIUS, ending up with
millions of accounts to shepherd; if you are large enough to have your
own user management, then you should also be knowledgable enough to run
your own RADIUS server.(*)
This is right when you think about an "eduroam Managed IdP" which works with per-device client credentials as-a-service.
I'm not a developer, but I think that a _modified_ instance of CAT that implements the following features would be the definitive solution to this evil twin problem:
- a unique on-the fly (per user and (per-download or per day cached or per month cached) ) generated certificate onboarding
- trying to workaround the problem of signed installers like for Android and Windows say using a two stage installer and configuration/credentials onboarding.
This can be achieved in at least 2 ways:
1. cat.eduroam.org implementing a per-institution sub-CA and crl
2. an institution-hosted, auto-upgradable CAT instance implementing its own sub-CA and crl
Solution 2 seems more robust and scalable to me because your radius server does not depend on a remote crl and you decentralize computation for generating certificates on the fly.
This way users does not even need to input username or password.
Is anybody already working on similar paths?
We can of course reconsider that, but at some point when we host really--
large organisations, this cannot be a free service any more. There is
actual infrastructure in the backend of this, and it needs to scale.
Greetings,
Stefan Winter
(*) Fun fact: did you know that issuing EAP-TLS certificates based on
SAML identities is patent-protected in the U.S.?
Daniele ALBRIZIO - daniele.albrizio AT units.it
Tel. +39-040.558.3319
UNIVERSITY OF TRIESTE - Network Services
Unita' di Staff Reti di Ateneo
via Alfonso Valerio, 12 I-34127 Trieste, Italy
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: [[cat-users]] Unique device credentials, Workman, John R, 04/01/2019
- Re: [[cat-users]] Unique device credentials, Stefan Winter, 04/02/2019
- <Possible follow-up(s)>
- Re: [[cat-users]] Unique device credentials, Stefan Winter, 04/02/2019
- Re: [[cat-users]] Unique device credentials, Per Mejdal Rasmussen, 04/02/2019
- Re: [[cat-users]] Unique device credentials, Stefan Winter, 04/02/2019
- [[cat-users]] Eduroam vs Security, Andre Forigato, 04/02/2019
- Re: [[cat-users]] Eduroam vs Security, Stefan Winter, 04/02/2019
- Re: [[cat-users]] Eduroam vs Security, Martin Pauly, 04/03/2019
- Re: [[cat-users]] Unique device credentials, Daniele Albrizio, 04/03/2019
- Re: [[cat-users]] Unique device credentials, Stefan Winter, 04/09/2019
- Re: [[cat-users]] Unique device credentials, Per Mejdal Rasmussen, 04/12/2019
- [[cat-users]] Eduroam vs Security, Andre Forigato, 04/02/2019
- Re: [[cat-users]] Unique device credentials, Stefan Winter, 04/02/2019
- Re: [[cat-users]] Unique device credentials, Per Mejdal Rasmussen, 04/02/2019
Archive powered by MHonArc 2.6.19.