Stefan's explanation: multi-domain roaming and authorisation BoF topics ------------------------------------------------- layer 2 issues -------------- * EAPoL: client side MTU issue (as reported) * EAPoL: enhancements to reporting errors to the client (as reported) * F'up on netsel[RFC5113] 2.1: untying SSID and administrative domain [rationale: currently only the SSID can be used to signal to a user that he is allegedly connected to his roaming consortium. That can be a) faked easily (which eduroam mitigates with requiring EAP methods with mutual authentication) and b) causes trouble when that SSID can not be used at some spot] * switching between technologies: Wifi <-> UMTS <-> WiMAX layer 3+ issues --------------- * RadSec (might be taken up in radiusext if rechartered...) * transporting application-layer security assertions/authorisation attribs - NAS-SAML (SAML assertions to the NAS) - uSSO (SAML assertions within EAP payloads for client) * layer 2 handover to different layer 3 network (supporting CAPWAP) * related to netsel again: "home zone" - how to tell if a user is in his home network or roaming? discussion about scope of existing WGs -------------------------------------- * NEA: posture assertions in roaming case [the decision to transport posture info within the EAP tunnel raises questions for the roaming case: posture assertions end up in home network, while roaming network would need it] * dime/radiusext: forwarding requests securely among independent domains [end-to-end security discussions have already gotten a fair share in radiusext. Depending on what is meant with "end", different conclusions exist. The one use case we would have is: home AAA server to first remote AAA server (the one directly behind the NAS). The necessity to provide a private comm channel between these two didn't see a lot of support in radiusext, but I wonder if we are really the only ones seeing a need for that] topics to be watched/reviewed for roaming fitness ------------------------------------------------- TLS 1.2 draft (Trusted CA indication)