On Sat, Jul 03, 2010 at 03:13:28PM -0400, Phillip Hallam-Baker wrote: > > Any time a user has to think when the computer can think for them is a > failure. Every WiFi access control system I have ever used has > required me to configure the computer. > > If the designers had actual brains instead of bits of liver strapped > round their waist by dogbert then all that would be necessary to > securely authenticate to the network is to give either the MAC address > of the computer or the fingerprint of the cert. The MAC address of the computer is trivially forged. Can be done with a single ifconfig command. As far as using certificates --- sure, it's possible to set up EAP-TLS using client certificates. It can be done on Mac, Windows, and Linux. But the setup of that across multiple operating systems and getting users to correctly set up their certificates, sending a CA signing request securely to a central system, configuring their client WiFi system to deal with EAP-TLS, etc., is a usability nightmare. > This configuration is going to cost several minutes per participant. ?Half a minute per participant, maybe; the biggest risk is that they lose the piece of paper with the wifi login information. But it's a one-time setup cost. > Think of it on Enterprise scale and you have significant costs. On the enterprise scale if you are willing to force everyone to use a standardized OS configuratoins, then you can do EAP-TLS relatively cheaply. I've certainly in use at my current employer, and it's really not hard, even if you are supporting Mac, Windows, _and_ Linux. But that doesn't mean it would be easy to do at IETF; in fact, because IETF doesn't have the power to mandate that all its attendees only use a specific version of Windows, MacOS, and Linux, with a specific locked-down stock system load and configuration, using the traditional username/password via a captive portable is probably the only thing that does make sense. - Ted _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf