Hello, over the past few IETFs, I talked about draft-winter-opsawg-eap-metadata.
In a nutshell: end users get EAP configuration wrong because it's too complex, and as a result they are vulnerable to many badnesses out there in the Wi-Fi world. A common config format would settle all the complex pieces automatically for them, and make the internet a safer place for them. I got many good comments on the mic regarding the draft. I recall Hannes Tschofenig commenting that the scope should be larger than EAP properties: it should also configure the actual network context around the EAP credentials, namely the SSID etc., along with its various properties to fully configure (encryption level...). Phillip Hallam-Baker commented that the file format should be usable across all kinds of devices, like a smartwatch, for those devices do not have a good UI to configure manually. I've factored in all this and am going to submit a draft with a new name just before the cut-off (when else :-) ). It's probably going to be draft-winter-opsec-netconfig-metadata-00 because I believe that opsec is the better place to discuss this: it has an operations dimension - config needs to be moved around - but it also has a security dimension because failure to get a good config may make it appear like things work, while actually putting users at risk (e.g. if server certs are not checked while they should be). With the previous, EAP-only approach we already have very good results in our EAP-based Wi-Fi roaming consortium eduroam: there's an Android app that can consume the settings, and it makes the security posture change from Android's default "don't validate, don't bother user, just send password" to the gold-standard "validate cert chain, server name, pin EAP method". People are using it, and happily so (within the limitations of Android; talk to me for anecdotes :-) ). There is also a Linux app that can consume the same file format. With the expansion of scope to actual network defs, the file format becomes much more useful, and I believe this has a real chance of becoming more wide-spread. So, even though I haven't been to opsec before - I'd like to request a meeting slot for IETF95 there to discuss this new draft. All this with the hope for WG adoption of course :-) Please let me know if it's possible to allocate, say, 10 minutes for the draft? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
0x8A39DC66.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
