Hello, > I think Eduroam is the only (N x N) deployment I've seen where N > 10. And even we are avoiding N^2 complexity at the moment with a tree structure: star topology with central proxy from institutions within a country, star topology of country proxies to root. If you care enough: even with RadSec and peer resolution, we might still have proxies in between, for entirely non-technical reasons. Some countries want to reserve the right to filter attributes at a national level, so any resolution technique would be configured on their side to end up at the national TLD proxy, and be distributed onwards from there. > Since Eduroam is using RadSec, I suspect that the N^2 issue could be > solved by leveraging a central Eduroam Certificate Authority. It would > issue, and sign, certificates for each participating institution or > country. Each particpant would then be responsible for using those > certs, and for validating the certs of Eduroam partners. That is exactly the plan. We are not quite there yet with full deployment, but on our way. > > 2. RFC 4107 criteria do not apply to a RADIUS crypto-agile solution: > > a. RADIUS client-server communication is not an N^2 problem (except > > perhaps in the roaming > > situation where end-to-end protection is being provided). > > Yes. We are facing a requirement of RADIUS-at-roaming-end to RADIUS-at-thome-end security, which is where my wish to have auto key mgmt came from. The concrete use case we have is that some countries need the age of a user to determine if he's legally allowed to get unfiltered internet access. This means we would need to transfer either birthday or at least age via RADIUS. This kind of user attribute can be easily tied to a concrete User-Name in most cases and is thus subject to law regulations regarding transmission and storage of personal data. For the moment our only solution is to keep eduroam to higher ed and research only, where all eligible users can be expected to be over eighteen. We are currently working on a quite sophisticated out-of-band handshaking for such data (there are more examples than just age), but would be a lot happier if there was an easy in-band solution. I agree though that our woes in that regard are pretty much unique. Greetings, Stefan -- Stefan WINTER RESTENA Foundation - Réseau Téléinformatique de l'Education Nationale et de la Recherche R&D Engineer 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Attachment:
signature.asc
Description: This is a digitally signed message part.