Subject: An open discussion list for topics related to the geteduroam service
List archive
- From: Paul Dekkers <paul.dekkers AT surf.nl>
- To: Wenche Backman-Kamila <wenche.backman-kamila AT csc.fi>
- Cc: geteduroam <geteduroam AT lists.geant.org>
- Subject: Re: Setting up a CA
- Date: Fri, 28 May 2021 10:44:21 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=surf.nl; dmarc=pass action=none header.from=surf.nl; dkim=pass header.d=surf.nl; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uGWXdESS8TROdOoXrWXYC796Wbi+Xn4Fyc6aEgDiLoE=; b=BYfhE4Hj1DrvOyFlASzDEg0JtLK3MJxq9NrFBn7EnvgeTDImR6bYLC4IqJtIXDcsxVc7QFOutHBWC+fpv2cq30r0iCkOvmDQVkaewbxsojh1eKWSd8UrfTrTQ+r8R46KBAJmrZzQGxOmGLIYr55l7/dVdyoWzfH7CtLoYNgIBve/KN+k/VptcAubk7NCLv2zYGxC78FIdAnJD+LmhRukfEYZorgOm+aEwncg66sNDxrLQiMjqVXssFr6B5gsOf36ahwUF8XLXwH9ORU7DKQvEgyQkBV79UUU2fVOzXvG2FRQnduL+5Vd6iBGHM7EMWDd93oiXuHT4Cq32djSWpCRQQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BIlbwvkoDsO55n4scGTSciIYPtM+Km1pt4SHBKHMq9VnLnEEh8XRAnRtbgdVASM1YNU+TfLtPF6qU/yPbs0OZC8KHNcuoHREAiKVUk9VomNwv3Vvv8aLIiXW3A69Kbgy46BFjHZZG5PlwzS/0ZoO1koAfa9KU//LPpHNDw8JxKLcPHf78WvDd7xKDIvUcwZVNjU0v1vt57PSdm6dD4UbsEV8wsUwzUHc7fPWjxN7z1kIW1SoaiZZhi1Vai3Pk626hEYIW0GfLhFUYdOMd++PPPZ8iNY25FIzXEYn6i9cl9aJNauTGV9CZ2erLn1XLd5QEvydsNAtYQZb02FWXGI5Fw==
- Authentication-results: surf.nl; dkim=none (message not signed) header.d=none;surf.nl; dmarc=none action=none header.from=surf.nl;
Hi,
1274327619.4463764.1622117489490.JavaMail.zimbra AT csc.fi">Hi,
geteduroam is generating interest in Finland and in order to get it right from the beginning I have a few questions:
- Would you recommend that we set up one CA for the country or that each member (Univeristy) set up their own CA?
This is a bit of an "everything is possible" answer:
I think the portal can easily be centralized and connected to in
your case Haka. And also EAP-TLS is kind of convenient to offer
centralized, it can be distributed easily and does not require
lookups in directories. So that's I think why this is done
centralized so far. You could mix it, and offer the institutions
to do the EAP-TLS validation locally, or institutions could indeed
do the entire thing themselves if they're up for that. You don't
really need NRO involvement in that case, and in a way they're "on
their own". They also need to do SAML for their own
authentication, which may be less trivial to them than for
instance connect to Haka.
I myself noticed most interest in doing it centrally from the
NRO. (Even in that scenario each institution has their own domain,
realm, and their own CA with that BTW; that's at least how the
reference implementation works.)
Did you consider using the OT (pilot) service in eduGAIN for more
institutions? You could easily migrate even from one instance to
another, as that's just a pointer in CAT for new institutions
also. The intention is to make it scale well for these kind of
scenarios too. (And if this becomes popular, give NROs the right
controls.)
1274327619.4463764.1622117489490.JavaMail.zimbra AT csc.fi">
- Could you point to some kind of documentation to get this started?
I guess that's https://github.com/geteduroam/letswifi-ca
Paul
- Setting up a CA, Wenche Backman-Kamila, 05/27/2021
- Re: Setting up a CA, Paul Dekkers, 05/28/2021
- Re: Setting up a CA, Wenche Backman-Kamila, 05/28/2021
- Re: Setting up a CA, Paul Dekkers, 05/28/2021
Archive powered by MHonArc 2.6.19.