regex 'fun'

[Stefan Winter]

Hi,

> *sigh*
>
> Forget RADSEC then, you might aswell use IPsec in transport mode with AH 
> (as hell we are already shifting EAP traffic around so ESP would be 
> pointless) and then you can do it with bog standard RADIUS; although 
> someone will need to sort out the "route straight to domain SRV record" 
> bit.
>   

People in eduroam have tried RADIUS over IPSec and it was a pest. They
gave up on it and switched to RadSec meanwhile. And for RadSec, routing
via DNS is known (in a commercial product) since the early 2000s and
picked up in the IETF as of 2007. I just saw Alan Buxey referenced the
current state of it in his latest mail.

> So, 'eduroam-ca.der' can be a *group* of Root CA's I hope and there is a 
> way to make sure that when the original CA reaches it's end of life you 
> get *all* the sysadmins involved to update it to have the two CA's for a 
> while and then on a 'd-day' to remove the old one?
>   

The current plans in eduroam do indeed foresee a group of CAs: one for
each National Research Network that's willing to operate its own, and a
catch-all CA for the rest. All of which have individual rollover dates.
And have their own CRLs which need to be re-loaded regularly (which
means that there is no one D-Day). Sounds dreadful to you? Simple: a
repository with CAs and CRLs and a cron job to fetch the current state
once per day or so, and a HUP to pick it up. Nothing a server operator
should be afraid of.


CRL reload in OpenSSL is a pest right now, and we're eagerly waiting for
OpenSSL 1.0.0 which is claimed to be able to do this properly.

> Kinda my point is there is no reason why the bar could not be lowered 
> further.  The DNS idea was a hair brained idea of mine and I think it is 
> crazy enough to work...plus it is using the *existing* infrastructure; 
> plus finally admitting that edroam is *not* something that can be 
> wholely accepted by an RFC...it is an exception.
>
> This is obviously turning into an Alex v's World argument. :-/
>   

We've spent tremendous amounts of thinking and taxpayer money to think
about this. Without knowing your own flavour of DNS idea: how do you
solve the following:

- eduroam is for educational use only
- microsoft.com sets up a RADIUS server and enters a DNS record for it
- eduroam hotspot gets a user login from microsoft.com, looks up server,
authenticates, user uses network
- damn, we just allowed a commercial user into our network and violated
our own AUP and national regulations orders!

We think PKI (and certificates that hold accreditation info) comes to
the rescue. What rescues you?

> RADSEC with the PKI instructure eduroam is touting is a ticking time 
> bomb and knowing the educational world they are going to notice this 
> international trust network and want to shovel their own cruft over it 
> too.  When d-day arrives, it is going to break hard....the ides of March 
> I tell you the ides of March.
>   

Without a specific D-Day, your statement above loses much of its sense.

> Bah, to hell with you all ;)
>   

Last time I went there, I made it freeze over. Made it lose most of its
charm, and I don't plan on going back.

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473