Skip to Content.

geteduroam - Re: Setting up a CA

Subject: An open discussion list for topics related to the geteduroam service

List archive


Re: Setting up a CA


Chronological Thread 
    < Chronological >      < Thread >
  • From: Paul Dekkers <paul.dekkers AT surf.nl>
  • To: Wenche Backman-Kamila <wenche.backman-kamila AT csc.fi>
  • Cc: geteduroam <geteduroam AT lists.geant.org>
  • Subject: Re: Setting up a CA
  • Date: Fri, 28 May 2021 10:44:21 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uGWXdESS8TROdOoXrWXYC796Wbi+Xn4Fyc6aEgDiLoE=; b=BYfhE4Hj1DrvOyFlASzDEg0JtLK3MJxq9NrFBn7EnvgeTDImR6bYLC4IqJtIXDcsxVc7QFOutHBWC+fpv2cq30r0iCkOvmDQVkaewbxsojh1eKWSd8UrfTrTQ+r8R46KBAJmrZzQGxOmGLIYr55l7/dVdyoWzfH7CtLoYNgIBve/KN+k/VptcAubk7NCLv2zYGxC78FIdAnJD+LmhRukfEYZorgOm+aEwncg66sNDxrLQiMjqVXssFr6B5gsOf36ahwUF8XLXwH9ORU7DKQvEgyQkBV79UUU2fVOzXvG2FRQnduL+5Vd6iBGHM7EMWDd93oiXuHT4Cq32djSWpCRQQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BIlbwvkoDsO55n4scGTSciIYPtM+Km1pt4SHBKHMq9VnLnEEh8XRAnRtbgdVASM1YNU+TfLtPF6qU/yPbs0OZC8KHNcuoHREAiKVUk9VomNwv3Vvv8aLIiXW3A69Kbgy46BFjHZZG5PlwzS/0ZoO1koAfa9KU//LPpHNDw8JxKLcPHf78WvDd7xKDIvUcwZVNjU0v1vt57PSdm6dD4UbsEV8wsUwzUHc7fPWjxN7z1kIW1SoaiZZhi1Vai3Pk626hEYIW0GfLhFUYdOMd++PPPZ8iNY25FIzXEYn6i9cl9aJNauTGV9CZ2erLn1XLd5QEvydsNAtYQZb02FWXGI5Fw==
  • Authentication-results: surf.nl; dkim=none (message not signed) header.d=none;surf.nl; dmarc=none action=none header.from=surf.nl;

Hi,

On 27/05/2021 14:11, Wenche Backman-Kamila wrote:
1274327619.4463764.1622117489490.JavaMail.zimbra AT csc.fi">
Hi,

geteduroam is generating interest in Finland and in order to get it right from the beginning I have a few questions:

- Would you recommend that we set up one CA for the country or that each member (Univeristy) set up their own CA?

This is a bit of an "everything is possible" answer:

I think the portal can easily be centralized and connected to in your case Haka. And also EAP-TLS is kind of convenient to offer centralized, it can be distributed easily and does not require lookups in directories. So that's I think why this is done centralized so far. You could mix it, and offer the institutions to do the EAP-TLS validation locally, or institutions could indeed do the entire thing themselves if they're up for that. You don't really need NRO involvement in that case, and in a way they're "on their own". They also need to do SAML for their own authentication, which may be less trivial to them than for instance connect to Haka.

I myself noticed most interest in doing it centrally from the NRO. (Even in that scenario each institution has their own domain, realm, and their own CA with that BTW; that's at least how the reference implementation works.)

Did you consider using the OT (pilot) service in eduGAIN for more institutions? You could easily migrate even from one instance to another, as that's just a pointer in CAT for new institutions also. The intention is to make it scale well for these kind of scenarios too. (And if this becomes popular, give NROs the right controls.)

1274327619.4463764.1622117489490.JavaMail.zimbra AT csc.fi">

- Could you point to some kind of documentation to get this started?

I guess that's https://github.com/geteduroam/letswifi-ca

Regards,

Paul



Archive powered by MHonArc 2.6.19.

Top of Page