Re: Admission Control to the IETF 78 and IETF 79 Networks
Chris Elliott <chelliot@pobox.com> Tue, 06 July 2010 19:12 UTC
Return-Path: <chelliot@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 931493A6901 for <ietf@core3.amsl.com>; Tue, 6 Jul 2010 12:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvfujfhOvE4e for <ietf@core3.amsl.com>; Tue, 6 Jul 2010 12:12:44 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id E7CF33A688F for <ietf@ietf.org>; Tue, 6 Jul 2010 12:12:42 -0700 (PDT)
Received: by pwj1 with SMTP id 1so1528845pwj.31 for <ietf@ietf.org>; Tue, 06 Jul 2010 12:12:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:reply-to:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=Go3F1/dd1W5ev7PWtVaY87lzZFMBiMu1i63iiQBAnoc=; b=j2ftsULnyOBpsgQukWYg+4HFMFvVG2y5fJMhkZ0mqJ44vwL5bT0lBdeg4ByIRorrsu ct/fCiDamjNAvjCiktnYMKqtlGh/yt/taikH2KZFcaNe2yWy4jUtfpXSHVu2Vnm+nkQN 7ZiUrz8z7FjsjNt3ueZDNrNxBwx0e3TloN8Vw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:reply-to:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=ZXKwzfwhMn5Q8Ukl1b8TS9+6pCQ1jStzLL+s0VrZJIeHt+WCS2/LbJarK8Xm7CkNLk 5a2YAtD/MfV1oODgaOj2n9kvrBVA2tut/B2sCzoGNOuIHF7QZHuLlowEPwE38EMHYgVs T8LSbHOpPa5qPBAauUHC1LGOej4nAuus3OMxk=
MIME-Version: 1.0
Received: by 10.142.199.20 with SMTP id w20mr5986329wff.253.1278443546098; Tue, 06 Jul 2010 12:12:26 -0700 (PDT)
Sender: chelliot@gmail.com
Received: by 10.231.113.34 with HTTP; Tue, 6 Jul 2010 12:12:25 -0700 (PDT)
In-Reply-To: <AANLkTim4y4Q0eJeLU6VDtkl0yAESUpzklwyaqTDUv7bO@mail.gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTim4y4Q0eJeLU6VDtkl0yAESUpzklwyaqTDUv7bO@mail.gmail.com>
Date: Tue, 06 Jul 2010 15:12:25 -0400
X-Google-Sender-Auth: ypyA2NWlmdPKlm2j4IaCJsIFQBA
Message-ID: <AANLkTilyRmis4UI0EH7bZbF31UQcZDYwA0G4PGk_oX1K@mail.gmail.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
From: Chris Elliott <chelliot@pobox.com>
To: Mark Atwood <mra@pobox.com>
Content-Type: multipart/alternative; boundary="000e0cd2588270953c048abcd53e"
Cc: Phillip Hallam-Baker <hallam@gmail.com>, Iljitsch van Beijnum <iljitsch@muada.com>, tytso@mit.edu, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: chelliot@pobox.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 19:12:48 -0000
On Tue, Jul 6, 2010 at 2:37 PM, Mark Atwood <mra@pobox.com> wrote: > > As far as using certificates --- sure, it's possible to set up EAP-TLS > > using client certificates. It can be done on Mac, Windows, and Linux. > > But the setup of that across multiple operating systems and getting > > users to correctly set up their certificates, sending a CA signing > > request securely to a central system, configuring their client WiFi > > system to deal with EAP-TLS, etc., is a usability nightmare. > > That is sadly true. However, it would still be a good idea to do at > the IETF gathering, *because* it is currently a usability nightmare. > There is not enough both real world experience, and exposure of IETF > participant attendees to actual "tip of the spear" usability of > interesting use cases like this. > > If lots of smart and networking aware people all get the chance to do > this kind of "interop and usability" "testing" all at once, then a lot > of useful knowledge, tips, howtos, bug discovery, and application > feedback will happen, which I believe can only be a good thing towards > fixing the usability bottleneck that client certs are today. > This can be done in the context of what we are setting up to do authentication for the next two meetings, but will take a fair amount of work, and will add to the complexity of getting on the network for attendees. We will be using 802.1X and portal software (users can choose which they wish to use--either or both) to communicate authentication information with users. Both will be using Radius on the back end. Supporting an additional EAP method (TLS) for 802.1X is trivial. Supporting TLS for the portal is likely to be fairly easy as well. However, this would require the IETF have a certificate infrastructure. Which does not exist. And a mechanism for users to request certs securely. So, right there, we have the chicken and egg issue--what do users use to authenticate themselves before they have a cert? I'd suggest that the same method we are planning on using to authenticate users (reg ID or anonymous ID obtained by IETF badge holders from the reg desk) can be used. This means that we've just required a whole series of additional steps to be done by attendees. So I don't see the NOC team taking this on. I would support an experiment, if someone or some group is willing to run with it, that would do the above. I believe that the changes needed to support such an experiment (supporting TLS for authentication) could be done by the NOC team without too much additional effort. However, this person or group would have to take on setting up the CA infrastructure, integrating it with the FreeRADIUS server we will be using, and instructing attendees on how to participate in the experiment. Note that this is not a typical environment for certs. We are trying to authenticate that users are a member of a group (IETF attendees) while (optionally) preserving anonymity for users. I would suggest that a certificate experiment try to replicate these same criteria, which may or may not make it a useful experiment for the usage of user certs in general. So, if you, or anyone, is interested in running an experiment please put in your request. We support various experiments on the IETF networks most meetings, and this could be a useful, or at least educational, one. Chris. > ..m > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > -- Chris Elliott chelliot@pobox.com CCIE # 2013
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Admission Control to the IETF 78 and IETF 79 Netw… IETF Chair
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Fred Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Olivier MJ Crepin-Leblond
- Re: Admission Control to the IETF 78 and IETF 79 … Dave CROCKER
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Marshall Eubanks
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Ted Hardie
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … David Conrad
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … John C Klensin
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Michael StJohns
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- free internet for ieters only Health
- Re: Admission Control to the IETF 78 and IETF 79 … Robert Moskowitz
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Bob Hinden
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew G. Malis
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … tytso
- Re: Admission Control to the IETF 78 and IETF 79 … Mark Atwood
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … joel jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … Donald Eastlake
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … IETF Chair
- RE: Admission Control to the IETF 78 and IETF 79 … Josh Howlett
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker