I think the driver's license is an interesting analogy, and it causes me to think differently about the issues eduroam raises in a different light. However, as with most analogies it breaks down quickly (states do have standards coordinated with federal entities on IDs [blustering aside], coordinated training and standards [e.g. car vs truck], integrated license plate databases, user identities on the drivers license when pulled over, etc).
I am interested in the service, and like the idea of enabling researchers better network access. But I'm still troubled by a number of issues which I think could be solvable, but solving them doesn't seem to be in the spirit of the European effort. Just a few: My understanding is eduroam doesn't allow the host university to know the identity of the user of the local network resource. The host can request it of the remote university, but the remote may or may not respond. It adds complexity to security investigations and law enforcement actions. Local law enforcement can't compel another country's university to release credentials. What might US CALEA implications be in these cases? I realize different laws/rules apply in different localities/entities regarding network use and identity and interpretation by each entities legal counsel. My understanding is also that eduroam doesn't have standards for who is granted credentials across institutions participating. At one school it may be faculty/students/staff, while at others that may include alumni/visitors/hobos. Related, I don't believe attributes are revealed in cases where the local institution wished to grant different status to, say faculty versus student. How do different access policies and charges (for those of us that charge) map? There may be exposures to user/password credentials utilized. For institution that use a consistent/single sign-on credential for their network access also, this is once again problematic. [lost the argument about the dangers of using SSO for network access -- even back in the web portal days prior to 802.1x] It is the same for everyone. I think it is fair to say that every institution requires faculty, staff, and students to accept an AUP before assigning a user ID and password (typically once a year). Simply apply your AUP rules to the eduroam “visitors”. Do not consider Eduroam users as outsiders/guests of your institution; they are authorized colleagues from neighbouring institutions. They know the rules and more importantly, they are easily traceable. I can drive in your state with my driver’s licence. It is accepted and I am authorized, but I should learn your specific state rules to ensure I am not ticketed. Same idea. Peter -William ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
