Hi,
*sigh*
Forget RADSEC then, you might aswell use IPsec in transport mode with AH (as hell we are already shifting EAP traffic around so ESP would be pointless) and then you can do it with bog standard RADIUS; although someone will need to sort out the "route straight to domain SRV record" bit.
People in eduroam have tried RADIUS over IPSec and it was a pest. They gave up on it and switched to RadSec meanwhile. And for RadSec, routing via DNS is known (in a commercial product) since the early 2000s and picked up in the IETF as of 2007. I just saw Alan Buxey referenced the current state of it in his latest mail.
So, 'eduroam-ca.der' can be a *group* of Root CA's I hope and there is a way to make sure that when the original CA reaches it's end of life you get *all* the sysadmins involved to update it to have the two CA's for a while and then on a 'd-day' to remove the old one?
The current plans in eduroam do indeed foresee a group of CAs: one for each National Research Network that's willing to operate its own, and a catch-all CA for the rest. All of which have individual rollover dates. And have their own CRLs which need to be re-loaded regularly (which means that there is no one D-Day). Sounds dreadful to you? Simple: a repository with CAs and CRLs and a cron job to fetch the current state once per day or so, and a HUP to pick it up. Nothing a server operator should be afraid of. CRL reload in OpenSSL is a pest right now, and we're eagerly waiting for OpenSSL 1.0.0 which is claimed to be able to do this properly.
Kinda my point is there is no reason why the bar could not be lowered further. The DNS idea was a hair brained idea of mine and I think it is crazy enough to work...plus it is using the *existing* infrastructure; plus finally admitting that edroam is *not* something that can be wholely accepted by an RFC...it is an exception.
This is obviously turning into an Alex v's World argument. :-/
We've spent tremendous amounts of thinking and taxpayer money to think about this. Without knowing your own flavour of DNS idea: how do you solve the following: - eduroam is for educational use only - microsoft.com sets up a RADIUS server and enters a DNS record for it - eduroam hotspot gets a user login from microsoft.com, looks up server, authenticates, user uses network - damn, we just allowed a commercial user into our network and violated our own AUP and national regulations orders! We think PKI (and certificates that hold accreditation info) comes to the rescue. What rescues you?
RADSEC with the PKI instructure eduroam is touting is a ticking time bomb and knowing the educational world they are going to notice this international trust network and want to shovel their own cruft over it too. When d-day arrives, it is going to break hard....the ides of March I tell you the ides of March.
Without a specific D-Day, your statement above loses much of its sense.
Bah, to hell with you all ;)
Last time I went there, I made it freeze over. Made it lose most of its charm, and I don't plan on going back. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473