Subject: An open discussion list for topics related to the geteduroam service
List archive
- From: Paul Dekkers <paul.dekkers AT surf.nl>
- To: Wenche Backman-Kamila <wenche.backman-kamila AT csc.fi>, geteduroam AT lists.geant.org
- Subject: Re: Findings
- Date: Fri, 12 Mar 2021 13:46:36 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CeTRIcfjXY76IktYYg7FI4EkYT//8s6ZTPRUvlXU30g=; b=BlQ4O4VfRYNru+KLQ/KvgysrtMpo6wNaGGK/U38zLwFHnSFVD9rC8QQcAn8AonkGzZYpoB5e3Hz4RNwYFTTgs5oQk5cf2svRDIWokBOd0Gb/xyX1G+2m8i49z8X2rAGqTNBd5UPIUAefCUJMr0TD/r50vaAMY18HUmNh369e5N/cBRe/nzk4WD//coLLSoZO3ojXnkCUksgofxlO18u2iNk/Q/epDWkjfZNTyrz+mQ/QOVrBbLp7sZ1JtCp6nEjNANSsSjcGVTcsiZvRegukXR72EoSmJFcyjiXE1ufVIpzMBYtRnegts4v3a9gpUBVOZ01H06cgcuI90nHlQd9Szg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CLAuv0vTQLg9wRNU46CrijyAB1nwHArKZ34iFczGBG7yt3+Wqd6R5zyJ9qgcJB6bj/+JhqYIZ15KICveSDJYmlE2DKFPGvwiqpLgZbD/HlQ59LLbMg6lMf4Ixm8HLlOXYGsvwHa+6M+OKzCaiVhVlvTS4g9H6RSnetEV8Ft8KvVBhUd176unAf7zUFKtQaMghNafKRnuWQNZIhC3dARSKnf0klrQPfYFVbkQBvZXBOA8EVpu+Ay+WAsRjiPyGXLHrcUew9RA9mul/w3QE8UAGgNIqNNomUvjeZcJc79dMScKOVFHoDH1mYuRR5Sb0JfP0XSJcuVF2AZCeCV/1iUMSg==
- Authentication-results: surf.nl; dkim=none (message not signed) header.d=none;surf.nl; dmarc=none action=none header.from=surf.nl;
Hi Wenche,
I guess I misinterpreted your remark about ciphers on our SP:
0c03d731-d810-68ce-0b9b-d26b8296ca31 AT surf.nl">Hi Wenche,
@list; for people that are unaware of the "hosted version" Wenche is talking about, this hasn't been advertised here yet (I think) but a bit more can be found at:
https://wiki.geant.org/display/gn43wp5/geteduroam+for+NROs+and+IdPs%2C+proposal+for+pilot+serviceBasically, it allows you to connect an eduGAIN IdP to a hosted version of a pseudo-account service for geteduroam (comparable to and complementing the managed IdP, with eduroam credential creation based on eduGAIN authentication instead of invites).
On 12/03/2021 12:03, Wenche Backman-Kamila wrote:
1294031521.7589101.1615546999290.JavaMail.zimbra AT csc.fi">Hi,
While taking geteduroam into use we'd like to report the following:
- You seem to use old crypto (CBC) for 'https://get.eduroam.org'. Is it possible to support also modern GCM crypto. We had to make an exception for this entity ID to make it work, but it works now.Of course! We do support GCM, but *also* CBC, I think that's where the problem is? Do you have a pointer to eduGAIN guidelines for this, if there are any? I wasn't aware about a requirement.
And I'm afraid I looked no further than the A+ rating of ssllabs that we already had ;-) We still are A+, but with less ciphers. Hope this works out better.
I may have misinterpreted; is this about the SAML
EncryptedAssertion? I understand it's common for Shib IdP's to
require AES-GCM, but it's only recently in SimpleSAMLphp. (And in
SURFconext, I believe we still purely rely on the transport
security.)
I almost assume this is something Shibboleth users stumble upon
more often. I will look at supporting this in the near future to
be more compatible. Good feedback. I'm not aware of eduGAIN
guidelines about this to be honest, but welcome pointers.
0c03d731-d810-68ce-0b9b-d26b8296ca31 AT surf.nl">
1294031521.7589101.1615546999290.JavaMail.zimbra AT csc.fi">- CSC has been added to the institution list on Windows 10, but I cannot see CSC in the institution list in Android 10 (tested with both Samsung and Motorola). How come?
We actually improved the metadata creation very recently to reduce stale sessions in cache; I myself see CSC (with 2 profiles) on Android. Don't you?
Regards,
Paul
- Findings, Wenche Backman-Kamila, 03/12/2021
- Re: Findings, Paul Dekkers, 03/12/2021
- Re: Findings, Paul Dekkers, 03/12/2021
- Re: Findings, Wenche Backman-Kamila, 03/12/2021
- Re: Findings, Paul Dekkers, 03/12/2021
- Re: Findings, Paul Dekkers, 03/12/2021
Archive powered by MHonArc 2.6.19.