Trust and Internet Identity Meeting Europe
17.-20. Feb 2020: Workshops and Unconference

Continue the “IOT on my network”

(Chris Phillips)

I don’t think any of us have answers, sentiments though. What are the topics that matter and IoT is one of these things? Is this a solved space? Some of the biggest things is to share knowledge. A pinnacle problem? What would you want from eduroam to say about IoT? What we can offer is the guidance, provide a rubric or a checklist. If you will be a good eduroam site these are the qualities that the IoT will have on the campus. If I brought Alexa on eduroam but is a well behaved deice on my network. If you are not patched with your OS should you be on eduroam?

Example of existing, leaving the devices on the network. Qualities of eduroam the best practice is to be the only SSID. If you are the only SSID what does that mean for IoT? No captive portal, no enrollment of MACs. My device from Canada is expecting that I am a good person working on eduroam.

Mischa: How would they approve it? Use some authentication? Maybe that shouldn’t be sufficient.

If I want to put my phone into eduroam. Should eduroam be able to see whether my phone is up-to-date?

How do I prove a device on the network is up-to-date? By policy. Your behaviors got you to that account. Home institution says, here is your terms and conditions, and eduroam says that the institutions need to be somewhat consistent. If you have sensors on the wall, what about them?

Pieter: Most eduroam accounts are username/password.

We are trying to achieve if it happened, we know who it is?

You need to be able to act to say that you need to identity it.

It requires a lot of balance. If we use eduroam is that as long as you have an account, and a credential holder, you have access to eduroam. If you gave us a Wi-Fi enabled badge for the conference. Isn’t there a policy that discusses this exactly? We have a gap of information, these SSID badge things, and all of them are connected. Connected to eduroam. TO gill some gap on the Arduino you can put certs on it. Provided that you can authenticate. One server that is connected to eduroam. The IT dept needs to authenticate IoT devices. That’s the question the IoT side of things. How do I onboard things that roll up under my accountability? Here is the nest thermostat. We got to report that, 9 windows open, we got to close them. Those devices have a policy on them. Should eduroam weigh in on this?

Pieter: we want the network to be open. The last thing that we want to be is a DOD closed network to fill 7 forms for each packet that you want to send.

Markus: If you think this IoT thought, if they come with eduroam by default?

We are pivoting from eduroam being the tableau of action, how do you facilitate that? How do those users get in there and are they 1 million or more?

Markus: If you create an eduroam account for light switches, and if there is a bug in the switch then they are all faulty.

Rainer: There are two assumptions that were solved in the past, that the user is responsible on initiating the devices and its bound to the user. The department and the people will change. Not related to a person or an OAuth and the same you see on the initiate station of the devices when vendors create an initial secret and then that’s bund to a server of the vendor when the vendor goes out of business or changes policies. I think this kind of abstraction in IdM needs to be kept for IoT devices.

Policies in the IdM systems regarding the accounts. Administrator in AD. Role-based accounts are a useful area to think about.

Pieter: Is this in scope for eduroam, even institutions have light switches, their facility, their network. Can we limit the problem space to something else as a guest to somewhere else?

What is eduroam trying to support, if they want IoT and stuff or should the IoT be in the institutional domain?

Mischa: it can’t really have proper credentials. I can have a credential that is linked to me. They can’t have a personal credential that makes it very hard. How do you authenticate, if you bound to a device, all devices get the same private key? We can’t bind it to a person. I think a device is different to a laptop. I can still say link the clicker to my network. The eduroam management space I link the identity to the account. I am under the assumption that a network is a building facility like the light switch. There is nothing in eduroam that forbids the facility to use the eduroam SSID.

When something authenticates on the wireless, the backend can be very simplistic or sophisticated, if I see this credential it’s in that wlan or in this wlan. You can have different uses of the same SSID and if we think of the power for the lights and the projector, but they are different outputs of light. They are using the same power grid and the same eduroam. You can plug different things in it. Eduroam should not get into the way of eduroam and here are what these best practice guides. Is there a rule for eduroam centrally to provide guidance?

Two approaches, technological and policy approach.

There are policies and they are intentionally light on prescribing on what should go on. If we remain silent on it when there is a gap.

Difference between user accountability and organization accountability?

There isn’t a difference. I can use the same network here and in Canada. I am trusted because of it as I am trusted in Canada.

Robin: One of my techy colleagues said if you wind the clock forward connected devices may have a Wi-Fi or a chip in but also maybe a 5G chip in.

I don’t need to communicate with all devices, only with amazon and network if you see anything else, make a pledge, this is my network profile footprint, if I derive from that then something is wrong.

Hotspot 2.0 have our SSID stuff there, more of negotiation. Larger Telcom carrier. TNC mobility day, a 5g presentation, there is a role but it’s a lot larger. Cars being able to connect, and the interesting part is the authentication story of the 5G is not fully written. There are protocols but the story is not written.