InC-SC-27-June-2005.html

SALSA-NetAuth - FWNA conference call
June 16, 2005

*Attendees*
Kevin Miller, Duke U. (co-chair, scribe)
Rich Crop, Penn State
Tony Genovese, ESnet
Mike Helm, ESnet
Dennis Ward, U. Michigan
Klaas Wierenga, SURFnet
Ken Klingenstein, Internet2
Steve Olshansky, Internet2
Jessica Bibbee, Internet2

New *Action Items*

[AI] {Klaas} will send a link to the list of the different profiles of countries participating in Eduroam

[AI] {SteveO} will post Dennis' use case to the FWNA website

[AI] {Kevin} will contact Mike G to determine the status of the RADIUS text/experiment document

[AI] {Kevin} will update the document based on the discussion and send it to MACE

Carry-over *Action Items*
[AI] {Philippe} will draft a use case focusing on shared facilities between two institutions. (24-Mar-05)

[AI] {Chris} will discuss with Bluesocket the integration capabilities of web authentication gateways with 802.1x authentication. (24-Feb-05)

*Discussion*
{Klaas} discussed the activities at the TERENA conference in early June in Poznan, Poland. A focus of the meeting was mobility, authentication, and authorization. There were presentations by Philippe, and Ken, among many others in Europe that participate in Eduroam.

The issues that are identified today with Eduroam are:

1. It was started as a grassroots effort, open to everyone. That has created a myriad of different implementations, with no standardization on encryption, SSIDs, or even connection mechanism. Going forward, Klaas believes that a standard SSID and connection type are feasible, but many encryption types will likely be required, at least for a while.

2. As it becomes popular, maps of where Eduroam provides connectivity are required, as are weather-maps of whether it is currently working.

3. Increasingly, the system needs to provide attributes and implement authorization. The obvious ways are with Shibboleth or AAI (still to be developed.)

4. Inter-federation roaming will introduce differences between systems that need to be resolved. There are some ideas regarding the solution to this problem, but no clear resolution.

{Kevin} asked if there was any discussion on the use of Eduroam-NG in non-network authentication environments. {Klaas} indicated that there was no consensus on this.

{Kevin} asked about support for multiple federations, as the draft JRA5 roaming requirements document explicitly talks about a single federation for all organizations. {Klaas} said that the AAI architecture will explicitly discuss the fact that there will not be 1 worldwide federation. The roaming document desires to get one federation for higher education in Europe.

{Tony} mentioned that his notion of a federation (to support grid work) is that of "People and Policies"; {Ken} said that supporting grid applications was a high priority though generally federations are thought of as "Enterprise and Policies". There was agreement that
supporting multiple federations was a requirement of the system architecture, however.

{Kevin} asked how the RADIUS/DNSSec proposal was received; {Klaas} indicated it was well received, and he talked with the Telematica researchers about it. It would require changes to RADIUS servers, so possibly a combination of the DNSSec work and Diameter would be a good
solution.

{Ken} discussed his work to date and at TERENA. He mentioned that eduroam.us has been secured for use at some point here.

He identified several instances where organizations or countries would have local rules or customs that would be different than one would expect from the overall roaming system. For example, anyone connecting in Australia would need to be over 13 years of age. Some schools might require money for utilization over a certain amount.

The desire is to park these issues for now, but they will need to be addressed at some point. He started working on a matrix of the issues he identified. The matrix will be ready for circulation soon.

The term "League of Federations" has been used to describe the collective group.

Many countries are willing to support Eduroam development. The MICE group has been established (parallel to MACE), and is looking at funding Eduroam development.

{Kevin} reviewed the latest draft of his Next Generation Eduroam proposal. There were a few comments on the document, including a notion that it seemed like there were many moving parts. Some ideas for simplification were discussed, though it was also noted that at this stage, some of the components were presented for completeness.

{Kevin} will revise the document and repost once complete. If there are additional comments, please post them to the list before next Wednesday.

The next SALSA-NetAuth - FWNA call will be on June 30, 2005 at 11am ET.