On Tue, Jul 6, 2010 at 2:37 PM, Mark Atwood <mra(_at_)pobox(_dot_)com> wrote:
As far as using certificates --- sure, it's possible to set up EAP-TLS
using client certificates. It can be done on Mac, Windows, and Linux.
But the setup of that across multiple operating systems and getting
users to correctly set up their certificates, sending a CA signing
request securely to a central system, configuring their client WiFi
system to deal with EAP-TLS, etc., is a usability nightmare.
That is sadly true. However, it would still be a good idea to do at
the IETF gathering, *because* it is currently a usability nightmare.
There is not enough both real world experience, and exposure of IETF
participant attendees to actual "tip of the spear" usability of
interesting use cases like this.
If lots of smart and networking aware people all get the chance to do
this kind of "interop and usability" "testing" all at once, then a lot
of useful knowledge, tips, howtos, bug discovery, and application
feedback will happen, which I believe can only be a good thing towards
fixing the usability bottleneck that client certs are today.
This can be done in the context of what we are setting up to do
authentication for the next two meetings, but will take a fair amount of
work, and will add to the complexity of getting on the network for
attendees.
We will be using 802.1X and portal software (users can choose which they
wish to use--either or both) to communicate authentication information with
users. Both will be using Radius on the back end. Supporting an additional
EAP method (TLS) for 802.1X is trivial. Supporting TLS for the portal is
likely to be fairly easy as well.
However, this would require the IETF have a certificate infrastructure.
Which does not exist. And a mechanism for users to request certs securely.
So, right there, we have the chicken and egg issue--what do users use to
authenticate themselves before they have a cert? I'd suggest that the same
method we are planning on using to authenticate users (reg ID or anonymous
ID obtained by IETF badge holders from the reg desk) can be used. This means
that we've just required a whole series of additional steps to be done by
attendees. So I don't see the NOC team taking this on.
I would support an experiment, if someone or some group is willing to run
with it, that would do the above. I believe that the changes needed to
support such an experiment (supporting TLS for authentication) could be done
by the NOC team without too much additional effort. However, this person or
group would have to take on setting up the CA infrastructure, integrating it
with the FreeRADIUS server we will be using, and instructing attendees on
how to participate in the experiment.
Note that this is not a typical environment for certs. We are trying to
authenticate that users are a member of a group (IETF attendees) while
(optionally) preserving anonymity for users. I would suggest that a
certificate experiment try to replicate these same criteria, which may or
may not make it a useful experiment for the usage of user certs in general.
So, if you, or anyone, is interested in running an experiment please put in
your request. We support various experiments on the IETF networks most
meetings, and this could be a useful, or at least educational, one.
Chris.
..m
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
Chris Elliott
chelliot(_at_)pobox(_dot_)com
CCIE # 2013
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf