[AI] {Chris} will discuss with Bluesocket the integration capabilities of web authentication gateways with 802.1x authentication. (24-Feb-05)
 
*Discussion*
The Spring 2005 Internet2 Member Meeting provided a good venue for discussion of use cases and general FWNA advocacy. See <http://events.internet2.edu/2005/spring-mm/sessionDetails.cfm?session=2040&event=229> for the set of slides from the presentation.
 
{Kevin} reviewed the notes from the EduRoam global working group meeting, which was held in the days following the I2 MM. Several action items came from the discussion, which included the existing EduRoam model and activities of the FWNA Working Group. {Kevin} recommended that the FWNA Group participate as much as possible to feed into these new action items and to help expand future opportunities. To view the presentations and meeting minutes, refer to <http://www.eduroam.edu.au/gwg-eduroam/meetings/index.html>.
 
Questions that came from the meeting raised issues such as if this model is the right model; is it sustainable? What exactly do we want to use and deploy here? Now is the time to choose an existing model or to consider creating a different model that suits our needs. What is the best way to approach this model in terms of servicing different levels – peer-to-peer or a global level server? If a bottom-up approach is taken, what is the technology that will back the implementation of our ideas? Caching raises issues of how one disconnects and roams. These matters need to be dealt with from various angles – can the technology fix these hierarchical issues? Before proceeding, we need to consider the real limitations to what might otherwise be reasonable in theory.
 
Peer-to-peer options might include DNS, Diameter, etc. - A model that operates as inlands of Radius hierarchy may work- this would leave connections between countries open for discussion, depending on what would be useful. Are there other possibilities outside of traditional Radius? A key question is whether this would be done inline, on-band or through Radius. It could likely be done as a single Radius attribute, such as through SAML. A fundamental notion is that the implementation of granular AuthZ of users at home and at the visited site depends on the visited site having access to user attributes – through an attribute exchange program. How are the users affiliated to the home institution? – Do they have an active relationship that can provide assurance, or are they just using a login name that is minimally affiliated to the home institution?
 
What sort of architecture should be used to implement for service provisioning of attributes? A variety of users, such as K-12 have different requirements that will impact how attributes are provisioned. What is the best way to authorize information and how are attributes passed? Will the next generation of roaming require the mapping and provisioning of these attributes on your campus? Most likely, there will be a minimum set of attributes – user ID, name, etc. This would provide an option to request additional attributes freely, and it would be up to the home institution whether or not to pass on those attributes. As the models evolve, there will arise standards to follow.
 
How can we think about interoperability of the implementation of the attribute systems? The global working group is working towards a few implementations of this. [AI] {Kevin} will post documentation for possible implementations of an attribute exchange system and identify interoperability of different management systems with EduRoam architectures. [AI] {Kevin} will sketch out other implementations of Radius interconnection strategies. Anyone interested in working with {Kevin} on this project may contact him.
 
{James} mentioned a project that Lichen is working on, whose objectives are to identify scenarios and adaptations. How do you validate technical feasibility for AuthN? This looks into the potential between EduRoam and Shib, and how the AuthN and AuthZ space is handled. [AI] {James} will post information to the SALSA-FWNA list regarding the Lichen project, which is investigating a lightweight and scaleable AAI over a Radius referral proxy infrastructure. For more details, see <http://lichen.bris.ac.uk/twiki/bin/view/LICHEN/WebHome>.
 
{Philippe} updated the Group on the progress of the experimental website, which has put up a Radius server. There is a user page with information on how to join, and one may also act as a visitor, even if you are in fact joining locally. This service is open to anyone, with the intent that it will serve as a small-scale experiment prior to full-production scale. Diversity, in terms of testing, is more important than the actual quantity of connections. This is a low-profile opportunity to experiment internally with Radius technology and gain experience, while working out any problems before wide-spread implementation. There are several components that need to be tested – how well does roaming work across a long connection, and is that connection smooth? [AI] {Kevin} will communicate with {Chris} regarding Utah.edu's server connection to EduRoam.
 
The next SALSA-NetAuth – FWNA conference call will be Thursday, June 2, 2005 at 11am ET.