woah.... i'm on annual leave but a few things said here concern me,
firstly, private versus known certificates.... with the current model,
the service provider sees the outerID of the request and proxies the
request to the home site...which is where the client then starts the EAP
part.... so only the client cares about the cert...
what was stated here (only known CAs are allowed) means that the visited site
terminates the client session to expose details of the required cert...and
therefore would be doing a man in the middle on the client.
now, not only is this just highly insecure and dangerous but it completely
breaks the eduroam specification...and the eduroam model. it is not up to the visited
site AT ALL to police the certs in use....and sites which require EAP-TTLS/PAP
only have the certificate protection to keep the inner softness secured.
it also means big big problems for EAP-TLS - why should a site not be able to
use their own internal CA (be that a managed local PKI system or their AD system?)
using public CA for EAP-TLS is like slapping your username/password on the laptop lid.
now...onto eduroam existing after 2015 or so.....well, that depends on the speed of
progress and other technologies coming along..... the '802.11u' stuff has been talked
about for years....and the initial releases of the tech are all horribly broken and
eduroam existing in its current form (all end sites talking to national proxies) should
certainly be a thing of the past for many sites - eduroam themselves want to leverage
better technology to help the old RADIUS protocol - things like dynamic host discovery,
RADISU over TCP with TLS (RADSEC). all the good RADIUS servers can already do RADSEC
the commercial proprietary ones that few people use cant do it (so are dragging the
rest of the community down...holding them back from better systems and ways).
on a non-technical front.....eduroam as a closed community might stay around for longer
for other reasons - Universities cannot just give their internet connection to any random
person - the fact that the visitor comes from another academic site (be they staff, student
or related to the work at another site...a partner as such) means that a lot of issues
are sorted....NOT a public network, NOT needing to deal with public network issues/requirements.
sure, can drop them onto another network....and sure, can even have eduroam as a service
on other hotspots (ANYONE can provide the eduroam SSID so long as the authentication
methods are correct and the network they are given meets the basic specifications).
there are people who have seen the eduroam model.....but they see it with '$$$$$money money'
eyeballs on - so they want a similar system for roaming/mobility but one that means
that they can turn a profit....carry on with their captive portal income generation but
ditch the expensive bumps in wires and filter systems....and maybe make it 'easier' by
ditching the security that makes it a better system (secure, private PKIs etc)
in short: avoid any system which is going to police what certs you can use (thats a system
in which VeriSign etc all have vested and probably undeclared interests) and avoid
a system that will insist on the usage of closed, proprietary software stack.