The group will generate a Best Current Practices (BCP) document recommending means to reduce the impact of RCM on the documented use cases while ensuring that the privacy achieved with RCM is not compromised.
Champion(s)
-
Bruno Tomas [email protected]
-
Mark Grayson [email protected]
OpenRoaming works similarly to Eduroam, allowing users to automatically connect to Wi-Fi networks, but with a federated structure that allows multiple Access Network Providers (ANPs) and multiple Identity Providers (IDPs) to interoperate under the same federation. It leverages technologies developed in the IETF, IEEE802 and Wi-Fi Alliance (WFA), such as RADIUS/RADSEC/PKI (RFCs 2865, 3579, 4372, 5280, 6614…), IEEE 802.1X, 802.11, and WFA WPA2/WPA3.
OpenRoaming is being discussed as a solution to some of the use cases considered by the IETF MADINAS WG. The project will look for potential areas of improvement to IETF protocols, as well as potential leakage of PIIs.
NOTE1: Hackathon participants wanting to be issued a test certificate for use in mutually authenticated OpenRoaming signalling exchanges, should email [email protected] with the subject “IETF Hackathon Test Certificate Request”.
NOTE2: The OpenRoaming PKI Certificate Policy and WBA issuing I-CA require specific subject distinguished name values. An example certificate signing request configuration that meets the OpenRoaming Certificate Policy is available here.
How to enable OpenRoaming on the MikroTik series of devices (by Warren Kumari, based on his setup for IETF 117): https://wkumari.dev/2023/10/16/mikrotik-openroaming
RADEXT working group is currently updating on Deprecating Insecure Practices in RADIUS, including analysing ways to increase RADIUS privacy by minimizing the amount of PII sent in RADIUS packets, including use of the Chargeable-User-Identity.
At IETF 117, an initial set of observations were made using credentials from a limited number of OpenRoaming IDPs and presented to the MADINAS WG.
Analyse the possible leakage of privacy information by a variety of OpenRoaming Identity Providers (IDPs) for a variety of different OpenRoaming Access Network Provider (ANP) use-cases.
- Tracking between devices - OpenRoaming user with subscription on multiple devices
- Tracking between access networks - OpenRoaming user with subscription on single device that moves between multiple different OpenRoaming access networks
- Temporal tracking by a single access network - OpenRoaming user authenticating on day 1 and day 2
#1, #2 and #3 for a range of different IDPs
#1, #2 and #3 when user has consented to share personally identifiable information with the ANP
#1, #2 and #3 for different device types
#1, #2 and #3 for different access network vendors