On Tue, Jul 6, 2010 at 2:37 PM, Mark Atwood <mra@xxxxxxxxx> wrote:
> As far as using certificates --- sure, it's possible to set up EAP-TLSThat is sadly true. However, it would still be a good idea to do at
> using client certificates. It can be done on Mac, Windows, and Linux.
> But the setup of that across multiple operating systems and getting
> users to correctly set up their certificates, sending a CA signing
> request securely to a central system, configuring their client WiFi
> system to deal with EAP-TLS, etc., is a usability nightmare.
the IETF gathering, *because* it is currently a usability nightmare.
There is not enough both real world experience, and exposure of IETF
participant attendees to actual "tip of the spear" usability of
interesting use cases like this.
If lots of smart and networking aware people all get the chance to do
this kind of "interop and usability" "testing" all at once, then a lot
of useful knowledge, tips, howtos, bug discovery, and application
feedback will happen, which I believe can only be a good thing towards
fixing the usability bottleneck that client certs are today.
This can be done in the context of what we are setting up to do authentication for the next two meetings, but will take a fair amount of work, and will add to the complexity of getting on the network for attendees.
We will be using 802.1X and portal software (users can choose which they wish to use--either or both) to communicate authentication information with users. Both will be using Radius on the back end. Supporting an additional EAP method (TLS) for 802.1X is trivial. Supporting TLS for the portal is likely to be fairly easy as well.
However, this would require the IETF have a certificate infrastructure. Which does not exist. And a mechanism for users to request certs securely. So, right there, we have the chicken and egg issue--what do users use to authenticate themselves before they have a cert? I'd suggest that the same method we are planning on using to authenticate users (reg ID or anonymous ID obtained by IETF badge holders from the reg desk) can be used. This means that we've just required a whole series of additional steps to be done by attendees. So I don't see the NOC team taking this on.
I would support an experiment, if someone or some group is willing to run with it, that would do the above. I believe that the changes needed to support such an experiment (supporting TLS for authentication) could be done by the NOC team without too much additional effort. However, this person or group would have to take on setting up the CA infrastructure, integrating it with the FreeRADIUS server we will be using, and instructing attendees on how to participate in the experiment.
Note that this is not a typical environment for certs. We are trying to authenticate that users are a member of a group (IETF attendees) while (optionally) preserving anonymity for users. I would suggest that a certificate experiment try to replicate these same criteria, which may or may not make it a useful experiment for the usage of user certs in general.
So, if you, or anyone, is interested in running an experiment please put in your request. We support various experiments on the IETF networks most meetings, and this could be a useful, or at least educational, one.
Chris.
..m
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
--
Chris Elliott
chelliot@xxxxxxxxx
CCIE # 2013
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf