Last month the great and the good from eduroam operations got together to perform an important ritual as part of the trust fabric we provide to the community – the eduroam Managed IdP Certificate Authority Signing Ceremony.
What is eduroam Managed IdP?
eduroam Managed IdP is a new service offered by the eduroam Operational Team. eduroam Managed IdP enables eligible institutions to outsource the technical setup of eduroam IdP. administrators use the service instead of a local authentication infrastructure and identity management.
This means that institutions who are not currently able to full support eduroam IdP infrastructure in their own organisations can still offer the service to their users, extending the reach of the service to more and more researchers and students.
The service will support up to 10,000 active users per National Roaming Operator, free of charge. It has recently successfully passed its pilot phase and is moving into full production.
What is a Signing Ceremony?
In distributed services such as eduroam, the flow of trust throughout operations is at the heart of the offering and is essential for the model to work. In a signing ceremony, a group of trusted people oversee the generation of a unique pair of public and private root keys that will safeguard the core infrastructure or root of the service. There is a well established process for the ceremony.
Stefan Winter, eduroam guru, explains:
“eduroam Managed IdP uses electronic certificates to identify eduroam Managed IdP end users. The integrity of these certificates is of paramount importance. To ensure that no-one can counterfeit user accounts, the cryptographic key of the Certification Authority (CA) that issues these certificates must be held in a secure place, accessible only to authorised personnel. The key generation ceremony ensures a four-eyes principle for the most crucial root of trust of this CA: physical access to the encrypted key is only possible via GÉANT Association personnel; but the key can only be decrypted and actually used by eduroam Managed IdP operations personnel, which is disjoint from the personnel of GÉANT Association.”
Our ceremony was overseen by a very appropriate witness in the form of eduroam inventor – Klaas Wierenga. He carefully watched as the eduroam Operational Team and the GÉANT Trust and Identity operations team generated the CA, agreed on a passphrase, and securely stored appropriate data in the GÉANT Amsterdam office. Part of the ceremony also included ensuring that data was appropriately deleted from devices used as part of the generation process.
What Next?
eduroam Managed IdP is in the final stages of implementing the production service and will soon be ready to start accepting users. Look out for an announcement from the team soon.