What could the open wireless movement learn from eduroam?

Prologue:

Welcome to my first formal blog posting.  I’ve resisted for years but recently have been getting more and more involved online and have found that blogging is the instrument of choice to respond to and propagate your personal perspective online.  Participating in the blogosphere reminds me of Cory Doctorow’s take on Social Capital so if I’m going to get in on it, I might as well jump in with both feet.  Let the fun and games begin and I hope I provoke some interesting discussion because isn’t that what blogging is all about?  Thanks for stopping by and I hope you come back for more. Now on with the show…

What Could the Open Wireless Movement Learn from Eduroam?

As I was reading the Electronic Frontier Foundation (EFF) article bemoaning the loss of open access points  across the land I was struck by how closely it tracked the final chase scene  in Ferris Bueller’s Day Off. It’s the one where Ferris is running home but going through people’s back yards as the quick way to get home.  If you are looking for your dose of 80s flashback, here’s the clip

That’s what I think using someones access point uninvited is like…a little exciting, but really crosses into  someones private space (that’s why people build fences, right?) but the shortcut accomplishes your goal at the sacrifice of someones privacy and rights.   As a scene in the movie, it’s great, Ferris gets home but is it really like that in reality? Are open wireless points free game for those who walk by?  As enticing as it is, the risk of transiting someone’s wi-fi ranks up there with don’t talk to strangers and don’t hitchhike: you never know what trouble you are going to get into.

What caught my eye though was the exclamation of “We need WiFi that is open and encrypted at the same time!” and immediately thought of the eduroam service that is part of the Canadian Access Federation .  How does this let you get online? If your institution participates with eduroam there are two main elements.  Allowing access to other eduroam participants and in return you have access to the others participants network.  To do this, you need to have an 802.1x ready wi-fi network and RADIUS as an available technology to support the eduroam SSID.  To use the service you connect with your network_id@your_institution_here.com and you are signed in through the use of chained RADIUS proxy servers.  The simplicity of this is that ANYWHERE you see eduroam, the experience is the same.  In fact, in most cases, you will have signed in automatically  anytime you open your laptop or even walk by with your smartphone, it will connect and you are online.  This has happened to me numerous times.  My favorite was when arriving at the Internet2 spring members meeting hotel and not even checked in at 11pm at night, my phone was already online with eduroam.  No fuss no muss, it just works.

So how prevalent is this in Canada?  Well at the time of writing the AUCC folks  say there are 95 universities registered and 27 of them or 28%  are participating in the Canadian Access Federation which operate the Canadian eduroam presence. Europe coverage is even higher.

In the US there are approximately the same number of sites live (27 according to the map at the time of writing) and another 20 or so more either interested or actively testing out of thousands of universities.  It is hard to explain why the uptake is not as big as Canada or elsewhere.  It can have something to do with being 802.1x ready or maybe it is just not rated high enough priority.  It’s hard to say.

Membership has its privileges.

With eduroam, reciprocity is a big part of the service and has a lot of benefits.  The active Ids inyour system have the ability to roam to other institutions but when someone comes to yours, you don’t have to provision them to get on the network. Opening the laptop really equates to getting online and there’s nothing more satisfying to a traveller that to being able to get online without having to follow some 7 and a half step process to signing in. I was recently at the TERENA conference which had great eduroam coverage and never used my termporary id.  The TERENA conference had 500+ people, 800+ devices connected via eduroam (one person has both a laptop and smartphone/ipad) and had >10,000 authentications over 5 days.

TERENA Badge with temporary userid

At a recent TERENA conference, hundreds of attendees used eduroam and their home credentials and could ignore the temporary userid/password. 

What about security you ask? Eduroam uses 802.1x and WPA2 protocols and your credential is verified at the home institution.  As for what the acceptable use policies (AUPs) are, as the visitor your are expected to abide by your home institutions and the one in which you are a visitor to.  It is all authenticated using your identity so transiting the network is permitted, but not anonymously.

So can just anyone sign up to be on eduroam?  In short, no.  it is geared to higher education institutions and there is a reciprocity balance to be struck.  It is plausible that if one location were to not participate according to the community’s expectations that branch (aka country root server) could be orphaned from the eduroam trust-framework.

Coming full circle, what does this mean to the EFF plea for technology? Is eduroam for them?  Possibly, but unlikely.  Whoever implements wouldn’t even come close to meeting eligibility and then there’s this hard question to answer of whose password store to authenticate against.  I can see the eduroam technique being duplicated much like the dynamic DNS folks who are now found in the actual routers firmware.  So, in theory, you could enable this  ‘feature at your convenience as a personal decision to contribute bandwidth to the common good’.  There are still a bunch of challenges to overcome to meet the EFF free wifi service: administration, findability, getting the word out, does it violate your AUP with your internet provider all come to mind. At the end of the day though it needs to be ubiquitous,  something that works without too much fuss, and is straightforward  for both the enduser and the access point maintainer — kind of like eduroam😉


About Chris Phillips
Technical Architect for CANARIE specializing in the Canadian Access Federation. I get to deal with the hard stuff that matters to Canada at large and it's an exciting space to be in. Identity management, SAML2, eduroam, LDAP, directories, schema design and other emerging technologies are my specialties. Who needs sudokus when you have all these to play and work with during the day?

10 Responses to What could the open wireless movement learn from eduroam?

  1. Good post, really summarizes eduroam benefits well.

    To amplify one of your points: the key obstacle to a publicly available Wi-Fi network is the lack of a community of identity providers that will participate responsibly in such a network. It isn’t enough just to provision an ID and allow authentication — the best practices, logging, incident investigation and other policies/practices provided by the partners in the eduroam service are necessary.

    Is there perhaps a role for banks and telcos given that they provide identity services to millions of us already?

    Mike

    • Chris Phillips says:

      Banks and telcos from my perspective won’t get into this space. Just not enough money for them for the effort involved. The free wireless movement is about how to increase (and use) the common good and those guys are just not in business for that (ie competing or cannibalizing their 3G/4G business will eventually happen in downtown areas).

      I think that best practices turn into ‘practices of necessity’ which if one could be in the wifi providing ecosystem (e.g. downtown or condo or apartments) then people will share to defer or reduce costs.
      I wonder if apartment buildings have a 1:1 ratio of internet to apartment occupants with telephone lines. I bet it wouldn’t…there has got to be sharing going on much to the chagrin of the carriers.

  2. robbat2 says:

    What happened to eduroam at Emily Carr? The BCNet newsletter hyped it, but it doesn’t seem to exist at all.

    I’ve used my eduroam account over 2 continents now, in half a dozen cities.

    Similarly, how about OpenID for commenting in your blog… Making every eduroam account also an OpenID account could hugely benefit both projects.

    • Chris Phillips says:

      I’m not sure about the Emily Carr campus with regards to eduroam. That would be a question to ask their IT group I think.

      Having an OpenID provider is an intriguing idea for eduroam accounts, but I think there are more problems than benefits.
      Being an OpenID provider is independent of being part of eduroam. Each institution would be required to stand up a provider and insure that their ids could exist in that ecosystem. This is huge.
      OpenID also doesn’t have the same ‘network effect’ that eduroam has which simplifies the support aspects involved in authentication infrastructure from my perspective.

      • robbat2 says:

        I only ran into the Emily Carr trouble when I visited there recently. Prior Googling had said there was eduroam in-progress, but I got there to find no sign of it😦. The only answer I could get from my contacts was that politics blocked eduroam.

        Re OpenID/eduroam:
        eduroam is a very successful large inter-network deployment of RADIUS. There is ongoing development w/ some of the RADIUS services to validate against OpenID: http://coova.org/node/71
        That was the early captive portal implementation, there was a later development to take the OpenID URL as the EAP/802.1x username (both involve initially sandboxing the user to validate their OpenID).

        Here’s some of the earlier discussion re eduroam on one of the OpenID mailing lists:
        http://lists.openid.net/pipermail/openid-general/2010-January/019901.html

        The idea of meshing the eduroam concept w/ OpenID is mainly what came to mind when I wondered about to solve the authentication problem for the EFF’s proposed network. RADIUS between nodes yes, but fed by OpenID, rather than the plethora of data sources used to feed the eduroam-connected RADIUS services.

    • CANARIE says:

      Hi Robbat2 . Emily Carr is just in the process of getting connected. Their IT staff are working on it, but it is not available yet

      For a list of available institutions, look here: https://wiki.bc.net/atl-conf/display/Services/Who%27s+Connected

  3. simonfj says:

    Hey chris, that was good,

    Especially liked the ferris Bueller analogy. It’s certainly getting hard to remember the back yards one has to transverse. The thing I’m trying to understand is how long it must take it until we come down the basic logic that one needs an “institution” to come from. Without it, the duplications in each of them is endless.

    As I read the refed site, the one thing which becomes noticeable are the words “REFEDS predominately works with educational institutions but many of our federations serve a much wider population including health and citizen identities”. http://refeds.org/resources_idp.html

    So it seems perfectly obvious, if we are aiming at ubiquity, that all the are talking about is what services a citizen’s account will provide access to. If eduroam is the key; the first service for each citizen’s account, then signing on to this blog is another and so on.

    I keep looking at the Aussie version of what is happening in each NATIONAL REN and keep wondering where they might discuss the basic common services their institutions will share. http://www.aaf.edu.au/technical/common-services/

    Thankfully, it seems you kanucks actually use one service rather than pointing at possible ones, so thanks for the blog. So tell me. Now that you have a few people communicating from various institutions, does this make you a Virtual Home Organization? http://www.aaf.edu.au/guidelines/virtual-home-organisation-vho/ If so, does this mean that “By adding me/the individual to the VHO that (the) organisation takes on the identity provider’s responsibilities with respect to that individual”? I promise to be good,

    I should also thank Kathryn for pointing me at your VHO synchronized media (i.e. this blog) http://www.synchromedia.ca/ . Without her help I’d have never found it. But that “findability” discussion can wait until later.

  4. Chris Phillips says:

    simonfj
    Sorry for the dramatically late reply…

    Virtual Home Organization’s are interesting (and very useful) things. Establishing what degree of trust that assertions that originate from the VHO are given is important from a consumption perspective and will drive what will use it and who will belong to it.
    The more trustworthy an assertion, the more useful and powerful it can become.
    e.g. Signing in to play Angry Birds < Signing in to read email < Signing in to see my class enrollment info < Signing in to do my banking< Signing in to do medical research analysis

    So, to that end if I were to construct a VHO and arbitrarily add you to it, I would want some way to insure the integrity of the statement I would pass on to others on your behalf. (e.g. This is Simon and I assert that this is true and that is is his email address for example).
    If the VHO is only used to do what would be considered 'low level trust requirements' like sign into a wireless network for internet access, adding you to the VHO would be reasonable with little trust checks.
    However, if the VHO as a whole is trusted to assert 'everyone in it' at the same level, I would want to apply an even level of identity proofing to add you to it. That's the rub, could I vet you like the other identities?

    The reality though is that the sets of identities in any given system are not all the same trust level/identity proven level. They are a blend, so as implementors we need to at least describe the level of trust or Level Of Assurance we want to assign to each transaction for a given context. e.g. Do you need biometric 2 Factor Authentication to play Angry Birds? Not likely, but you want that for Signing in to do medical research, and you may want to do that a few moments after doing your single factor sign in.
    What is implicit in the above example is that a single identity CAN have different assertions about the LOA strength depending on the context…which is a good thing. We only want to invoke or escalate to a higher level of veracity where needed. Facilitating this helps prevent proliferation of multiple identity stores.

    So to pull it back to one of your questions, having multiple people in a single VHO can work, but only if the consuming service agrees on the trust level assertions and the qualities. I would argue that many institutions today are VHOs…anyone who creates a guest account or an account that is 'a role' would approach being what a VHO is.

    Now, how to harmonize this with the view that a government could assert identity is an interesting and gnarly question…are they to be treated as a VHO too since it would assert an identity that would, in most cases exist in other Identity Providers? Should we permit/encourage the merging of assertions from multiple origins to create a persona with higher level of assurance? I think that would be a very valuable outcome…

  5. Thanks so much for this Chris,

    Please be gentle with me as I’m a technical baby attempting to walk. I wish we could be having this conversation above the radar, on a forum with a few of your global peers. It would help to bring a balance between National federations and the interFederation Services which they are, individually, trying to prioritize. This wiki is obviously the first one🙂 https://refeds.terena.org/index.php/Federations

    I’m bringing this up now as there seems to be a move to get a little coordination happening between global NRENs. That’s InterFederationFederations in refed speak and Confederation for English speakers. Those at the top of the NREN trees are changing habits. http://www.terena.org/news/fullstory.php?news_id=2924

    The main question, from my childish perspective is, what (increasing) range of “common services” will “my gov/edu” account offer access to? “User centric” is the buzzphrase.

    As yu say, “The free wireless movement is about how to increase (and use) the common good”, so we know we are talking about how National gov departments must collaborate in the same way as Canadian unis do (and colleges, schools and gov depts are doing in other countries).

    It seems peculiar that e.g., in Oz, I can get one hour of guest access at any of the public and uni library networks. but not four hours at one of them. Eduroam is just the first service that obviously needs to be part of a citizen’s (lifelong learning) account. That’s the discussion which is going to be happening at the European Commission soon, and the US shortly after that.

    I understand that as an NREN federation operator, the idea that “a government could assert identity is an interesting and gnarly question.” But any gov is a VHO of various institutions/depts/agencies; Health being the primary ‘lifelong” one. The CAF institutions and their peers are much shorter termed. “Forgetting” to delete accounts is probably as common as any NREN.

    The problem we DO have is that the inhabitants of public institutions (globally) are like most publically funded CAF clients. Individually, institutions think they are “delivering an important service”, whereas, increasingly, citizens just want access to some “self-service” = get bureaucrats out of the way, as they have been forced to do by their banking institutions.

    It also appears, when looking around the NREN federations, that surfnet is the only NREN who has done a deal with the most influential Open ID provider – Google – to get access to some of the most used global apps/services. So does this mean the eduroam/openID service combination is a mere doddle for any other National federation to replicate?

    P.S Any idea of how i could put this simply enough for a Minister to understand? “Should we permit/encourage the merging of assertions from multiple origins to create a persona with higher level of assurance?” Now there’s a challenge🙂 Thanks again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: