regex 'fun'

Wed Nov 4 16:00:30 CET 2009

Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
>> proxy that does the talking to Eduroam; okay I am now touting the 
>> 'separate' proxy...but Eduroam has some pretty unique requirements that 
>> *no-one* else does and this is the key point.
> 
> 'eduroam' not Eduroam please!  ;-)
>
Bah, read that the other way wrong...gah.

>> So the bar (including the administrative work both for you and the 
>> end-sysadmin does) is set low.  If RADSEC raises that bar it has failed.  
>> It's 2009, it is meant to be *easier* for systems to communicate with 
>> one another...if you are implementing something that is more difficult 
>> it is the wrong solution.  That does not just apply to Eduroam either :)
> 
> err, no. the current concept would be something like...
> 
> 1) end site gets connected and asks eduroam for a cert for their server
> 2) NREN validates request
> 3) end site gets the cert and adds it to their server
> 
> thats all easy and requires no skills..agreed?
>
*sigh*

Forget RADSEC then, you might aswell use IPsec in transport mode with AH 
(as hell we are already shifting EAP traffic around so ESP would be 
pointless) and then you can do it with bog standard RADIUS; although 
someone will need to sort out the "route straight to domain SRV record" 
bit.

> now, the 'technical part'
> 
> end site reconfigures their RADIUS server so it knows about that
> cert .... oh, something like
> 
> radsec_cert = myservercert.der
> radsec_ca   = eduroam-ca.der
> 
So, 'eduroam-ca.der' can be a *group* of Root CA's I hope and there is a 
way to make sure that when the original CA reaches it's end of life you 
get *all* the sysadmins involved to update it to have the two CA's for a 
while and then on a 'd-day' to remove the old one?

> if thats raised the bar then its a tiny tiny raise that even an ant couldnt
> get under IMHO.
>
Kinda my point is there is no reason why the bar could not be lowered 
further.  The DNS idea was a hair brained idea of mine and I think it is 
crazy enough to work...plus it is using the *existing* infrastructure; 
plus finally admitting that edroam is *not* something that can be 
wholely accepted by an RFC...it is an exception.

This is obviously turning into an Alex v's World argument. :-/

> okay - some of this might be over simplified for the initial beta-testers
> of such new functionality but its pretty much what people are visualising
> as the real-life way of things working...... so, no need for wierd external
> programs and PERL code...no need for PGP or whitelists.  the only thing
> missign would be
>
You better hope you are living on a remote inaccessible tropical island 
when that Root CA implodes. :)

RADSEC with the PKI instructure eduroam is touting is a ticking time 
bomb and knowing the educational world they are going to notice this 
international trust network and want to shovel their own cruft over it 
too.  When d-day arrives, it is going to break hard....the ides of March 
I tell you the ides of March.

Bah, to hell with you all ;)

Cheers

-- 
Alexander Clouter
.sigmonster says: Every time I think I know where it's at, they move it.