Re: [87attendees] IETF wireless
Chris Elliott <chelliot@pobox.com> Thu, 08 August 2013 11:47 UTC
Return-Path: <chelliot@gmail.com>
X-Original-To: 87attendees@ietfa.amsl.com
Delivered-To: 87attendees@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2875111E8123 for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 04:47:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.881
X-Spam-Level:
X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjtFSJYfkOhR for <87attendees@ietfa.amsl.com>; Thu, 8 Aug 2013 04:47:06 -0700 (PDT)
Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) by ietfa.amsl.com (Postfix) with ESMTP id 0129511E8100 for <87attendees@ietf.org>; Thu, 8 Aug 2013 04:47:05 -0700 (PDT)
Received: by mail-lb0-f179.google.com with SMTP id v1so2326370lbd.38 for <87attendees@ietf.org>; Thu, 08 Aug 2013 04:47:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=N2TSb5VSKRLTxmLKN883B+J1nIE4nulLBHWb9owYlv0=; b=Rjc40M2fC7pFaVKoEORVDMx+/fFYYWFPhWNy0uB8P575CjlURwzrsn7eppwgsy1BVC eKBKlbDpVuqpn0xLSG9I92K5zxPIfNy5FyoeP1hzjZHXcVlqi1MkieIrwsh9jcDg2yTg zCpb/j8RiDmvNX/mfqaTv+RuTjc6T2gp5Q+J+9d7+cOFWHtB5mYCm3SJiYjbvnbZf5TG rBDQv4NyiarRPDhfB/LAvvtn6m7o8kXAI+4l+ZUSNAs/5iFAcZ4001NpXFCdhZpHT8U0 ldidQ8InRtWAAEnRUCUFoDRAOXojGlQDq2l4FtgwjQkg/fMTuUPq5b//61XTdfpSHHAi mhiw==
X-Received: by 10.112.55.65 with SMTP id q1mr2185152lbp.15.1375962423595; Thu, 08 Aug 2013 04:47:03 -0700 (PDT)
MIME-Version: 1.0
Sender: chelliot@gmail.com
Received: by 10.114.3.44 with HTTP; Thu, 8 Aug 2013 04:46:43 -0700 (PDT)
In-Reply-To: <52033C35.8060707@restena.lu>
References: <767558DB-5546-4361-862E-0342F02AD435@ecs.soton.ac.uk> <EMEW3|a98bd69aea4959b1596d153ba8019962p74AmS03tjc|ecs.soton.ac.uk|767558DB-5546-4361-862E-0342F02AD435@ecs.soton.ac.uk> <alpine.OSX.2.01.1308050439080.146@173-11-110-132-sfba.hfc.comcastbusiness.net> <EB27A179-6515-43BE-B17B-2B853791788E@kumari.net> <alpine.DEB.2.02.1308080755220.5289@uplift.swm.pp.se> <52033C35.8060707@restena.lu>
From: Chris Elliott <chelliot@pobox.com>
Date: Thu, 08 Aug 2013 07:46:43 -0400
X-Google-Sender-Auth: U097K9Bk5qHdd1DigRoKkKU8dSY
Message-ID: <CAO_RpcLxTeFvXBNvTJn3Hw0jFDKUzymod7_Siy9V7FseKYUT=g@mail.gmail.com>
To: Stefan Winter <stefan.winter@restena.lu>
Content-Type: multipart/alternative; boundary="001a11c3ee8e7b98ca04e36e37c0"
Cc: "87attendees@ietf.org" <87attendees@ietf.org>
Subject: Re: [87attendees] IETF wireless
X-BeenThere: 87attendees@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: chelliot@pobox.com
List-Id: <87attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/87attendees>, <mailto:87attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/87attendees>
List-Post: <mailto:87attendees@ietf.org>
List-Help: <mailto:87attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/87attendees>, <mailto:87attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 11:47:07 -0000
Stefan, The cert we are using for the IETF SSIDs authenticated via 802.1X (not including eduroam) is from the same CA that is providing the certs for the rest of the IETF (including web, email, dnssec, and more, I believe). This CA (Starfield Secure Certification Authority) is in most or all recent OSes and browsers root certificate store. Which means most 802.1X supplicants /can/ verify the server cert we supply. It's up to the user to not un-check the "Check server cert" box! Our thought was that that was sufficient. However, we certainly can look into doing as you suggest and publishing more information. Of course, the page we post this to will probably also be verified by this same CA... ;-) Chris. On Thu, Aug 8, 2013 at 2:35 AM, Stefan Winter <stefan.winter@restena.lu>wrote: > Hi, > > > Scary how many are using the unencrypted wifi. > > Don't only count the ietf.1x network. The IETF also provides eduroam, > which is WPA2/AES with 802.1X and - sorry, NOC: actual server > certificate verification, not a "don't verify ours, and we won't verify > yours". > > The Max numbers in the NOC report are > > the 3 "secure" ones: 25+27+37 = 89 > the two "edu" ones: 38 53 = 91 > > Which makes for a total of 180 max simultaneous encrypted connections. > > Sure, compared to approx. 700 on the open networks it's not so really > great, but still quite a significant portion. > > > A suggestion for next IETF would be to call the 802.1x wifi "IETF" and > > the open one "IETF_UNENCRYPTED". > > Without verifying the server cert of the 802.1x network, you may well > talk to the network encryptedly, but the network might be a MitM who can > decrypt and snoop out your traffic. > > The ietf.1x network is just not as good as it could be - maybe more > people would be inclined to use it if it provides the extra benefit of > being able to identify itself as *the genuine* IETF network. Neither the > open network nor the ietf.1x currently do that. > > The fix would be surprisingly simple: in the Network Information page, > actually *publish* the CA cert and its fingerprint that signs the auth > server, and also publish the server's subject/subjectAltNames. This > allows every user to check whether he's on the real thing when connecting. > > There are also provisioning tools that can install the CA certs and EAP > settings onto client devices. It's not rocket science. > > Greetings, > > Stefan Winter > > > > > -- > Stefan WINTER > Ingenieur de Recherche > Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et > de la Recherche > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > > Tel: +352 424409 1 > Fax: +352 422473 > > > _______________________________________________ > 87attendees mailing list > 87attendees@ietf.org > https://www.ietf.org/mailman/listinfo/87attendees > -- Chris Elliott chelliot@pobox.com
- [87attendees] IETF wireless Tim Chown
- Re: [87attendees] IETF wireless Ole Jacobsen
- Re: [87attendees] IETF wireless Warren Kumari
- Re: [87attendees] IETF wireless Tim Chown
- Re: [87attendees] IETF wireless Bob Hinden
- Re: [87attendees] IETF wireless Ray Pelletier
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- [87attendees] eduroam (Re: IETF wireless) Carsten Bormann
- Re: [87attendees] eduroam (Re: IETF wireless) grenville armitage
- Re: [87attendees] eduroam (Re: IETF wireless) Tim Chown
- Re: [87attendees] eduroam (Re: IETF wireless) Klaas Wierenga
- Re: [87attendees] eduroam (Re: IETF wireless) Chris Elliott
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Carsten Bormann
- Re: [87attendees] IETF wireless Keith Mitchell
- Re: [87attendees] IETF wireless Dan Harkins
- Re: [87attendees] eduroam (Re: IETF wireless) Andrey Lukyanenko
- Re: [87attendees] eduroam (Re: IETF wireless) Stefan Winter
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Stefan Winter
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless Chris Elliott
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless joel jaeggli
- Re: [87attendees] IETF wireless Jim Gettys
- Re: [87attendees] IETF wireless Mikael Abrahamsson
- Re: [87attendees] IETF wireless Dave Cottlehuber
- Re: [87attendees] IETF wireless joel jaeggli