ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Admission Control to the IETF 78 and IETF 79 Networks

2010-07-06 12:07:13
from [tytso] [Permanent Link] 
On Sat, Jul 03, 2010 at 03:13:28PM -0400, Phillip Hallam-Baker wrote:


Any time a user has to think when the computer can think for them is a
failure. Every WiFi access control system I have ever used has
required me to configure the computer.

If the designers had actual brains instead of bits of liver strapped
round their waist by dogbert then all that would be necessary to
securely authenticate to the network is to give either the MAC address
of the computer or the fingerprint of the cert.


The MAC address of the computer is trivially forged.  Can be done with
a single ifconfig command.

As far as using certificates --- sure, it's possible to set up EAP-TLS
using client certificates.  It can be done on Mac, Windows, and Linux.
But the setup of that across multiple operating systems and getting
users to correctly set up their certificates, sending a CA signing
request securely to a central system, configuring their client WiFi
system to deal with EAP-TLS, etc., is a usability nightmare.


This configuration is going to cost several minutes per participant.


?Half a minute per participant, maybe; the biggest risk is that they
lose the piece of paper with the wifi login information.  But it's a
one-time setup cost.


Think of it on Enterprise scale and you have significant costs.


On the enterprise scale if you are willing to force everyone to use a
standardized OS configuratoins, then you can do EAP-TLS relatively
cheaply.  I've certainly in use at my current employer, and it's
really not hard, even if you are supporting Mac, Windows, _and_ Linux.
But that doesn't mean it would be easy to do at IETF; in fact, because
IETF doesn't have the power to mandate that all its attendees only use
a specific version of Windows, MacOS, and Linux, with a specific
locked-down stock system load and configuration, using the traditional
username/password via a captive portable is probably the only thing
that does make sense.

                                        - Ted
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: draft-housley-two-maturity-levels, John C Klensin
Next by Date:  RE: [dispatch] VIPR - proposed charter version 3, Richard Shockey
Previous by Thread:  Re: Admission Control to the IETF 78 and IETF 79 Networks, Chris Elliott
Next by Thread:  Re: Admission Control to the IETF 78 and IETF 79 Networks, Mark Atwood
Indexes:  [Date] [Thread] [Top] [All Lists]