Dispatches from REFEDS and VAMP2012

Good morning from Utrecht, NL where I am attending as CANARIE’s CAF representative for REFEDS & VAMP2012

I’ve found that this September is an inflection point for change; back to school kicks in, summer holidays recharge the batteries and give a chance to step back and take stock. To this end, I’m going to experiment with a  more brief communication model with this blog.  There may be the occasional essay like post because complicated topics need their due depth, but I would rather have more frequent postings to avoid the TL;DR (Too Long; Didn’t read) and see which ones to go deep on as people express an interest in them.


Research and Education FEDerations is one of the few locations dedicated to the interests of  CAF and our peers.  It is also a forum for advancing Federated Identity topics and collaborating on workplans to the benefit of multiple federations.  One topic that has been incubating in the REFEDS environment are recommendations for Service Providers for Federated ID sign on and discovery which are based in part on a NISO Espresso Report.  An interested and comprehensive document at 35 pages. More to come on this front soon.

As the REFEDS meeting progresses more will be posted to this blog entry.

In the mean time, I would like to point you to the 2 day VAMP2012 agenda and encourage you to post comments or questions that you would like to hear me bring forward.

What could the open wireless movement learn from eduroam?


Welcome to my first formal blog posting.  I’ve resisted for years but recently have been getting more and more involved online and have found that blogging is the instrument of choice to respond to and propagate your personal perspective online.  Participating in the blogosphere reminds me of Cory Doctorow’s take on Social Capital so if I’m going to get in on it, I might as well jump in with both feet.  Let the fun and games begin and I hope I provoke some interesting discussion because isn’t that what blogging is all about?  Thanks for stopping by and I hope you come back for more. Now on with the show…

What Could the Open Wireless Movement Learn from Eduroam?

As I was reading the Electronic Frontier Foundation (EFF) article bemoaning the loss of open access points  across the land I was struck by how closely it tracked the final chase scene  in Ferris Bueller’s Day Off. It’s the one where Ferris is running home but going through people’s back yards as the quick way to get home.  If you are looking for your dose of 80s flashback, here’s the clip

That’s what I think using someones access point uninvited is like…a little exciting, but really crosses into  someones private space (that’s why people build fences, right?) but the shortcut accomplishes your goal at the sacrifice of someones privacy and rights.   As a scene in the movie, it’s great, Ferris gets home but is it really like that in reality? Are open wireless points free game for those who walk by?  As enticing as it is, the risk of transiting someone’s wi-fi ranks up there with don’t talk to strangers and don’t hitchhike: you never know what trouble you are going to get into.

What caught my eye though was the exclamation of “We need WiFi that is open and encrypted at the same time!” and immediately thought of the eduroam service that is part of the Canadian Access Federation .  How does this let you get online? If your institution participates with eduroam there are two main elements.  Allowing access to other eduroam participants and in return you have access to the others participants network.  To do this, you need to have an 802.1x ready wi-fi network and RADIUS as an available technology to support the eduroam SSID.  To use the service you connect with your network_id@your_institution_here.com and you are signed in through the use of chained RADIUS proxy servers.  The simplicity of this is that ANYWHERE you see eduroam, the experience is the same.  In fact, in most cases, you will have signed in automatically  anytime you open your laptop or even walk by with your smartphone, it will connect and you are online.  This has happened to me numerous times.  My favorite was when arriving at the Internet2 spring members meeting hotel and not even checked in at 11pm at night, my phone was already online with eduroam.  No fuss no muss, it just works.

So how prevalent is this in Canada?  Well at the time of writing the AUCC folks  say there are 95 universities registered and 27 of them or 28%  are participating in the Canadian Access Federation which operate the Canadian eduroam presence. Europe coverage is even higher.

In the US there are approximately the same number of sites live (27 according to the map at the time of writing) and another 20 or so more either interested or actively testing out of thousands of universities.  It is hard to explain why the uptake is not as big as Canada or elsewhere.  It can have something to do with being 802.1x ready or maybe it is just not rated high enough priority.  It’s hard to say.

Membership has its privileges.

With eduroam, reciprocity is a big part of the service and has a lot of benefits.  The active Ids inyour system have the ability to roam to other institutions but when someone comes to yours, you don’t have to provision them to get on the network. Opening the laptop really equates to getting online and there’s nothing more satisfying to a traveller that to being able to get online without having to follow some 7 and a half step process to signing in. I was recently at the TERENA conference which had great eduroam coverage and never used my termporary id.  The TERENA conference had 500+ people, 800+ devices connected via eduroam (one person has both a laptop and smartphone/ipad) and had >10,000 authentications over 5 days.

TERENA Badge with temporary userid

At a recent TERENA conference, hundreds of attendees used eduroam and their home credentials and could ignore the temporary userid/password. 

What about security you ask? Eduroam uses 802.1x and WPA2 protocols and your credential is verified at the home institution.  As for what the acceptable use policies (AUPs) are, as the visitor your are expected to abide by your home institutions and the one in which you are a visitor to.  It is all authenticated using your identity so transiting the network is permitted, but not anonymously.

So can just anyone sign up to be on eduroam?  In short, no.  it is geared to higher education institutions and there is a reciprocity balance to be struck.  It is plausible that if one location were to not participate according to the community’s expectations that branch (aka country root server) could be orphaned from the eduroam trust-framework.

Coming full circle, what does this mean to the EFF plea for technology? Is eduroam for them?  Possibly, but unlikely.  Whoever implements wouldn’t even come close to meeting eligibility and then there’s this hard question to answer of whose password store to authenticate against.  I can see the eduroam technique being duplicated much like the dynamic DNS folks who are now found in the actual routers firmware.  So, in theory, you could enable this  ‘feature at your convenience as a personal decision to contribute bandwidth to the common good’.  There are still a bunch of challenges to overcome to meet the EFF free wifi service: administration, findability, getting the word out, does it violate your AUP with your internet provider all come to mind. At the end of the day though it needs to be ubiquitous,  something that works without too much fuss, and is straightforward  for both the enduser and the access point maintainer — kind of like eduroam 😉