Require an anonymous outer ID in a CAT profile when wishing to use OpenRoaming or Additional OIs

[spaetow]

Issue type

• Defect - Crash/memory corruption.
• Defect - Non-compliance with a standards document or incorrect OS API usage.
• Defect - Unexpected behaviour (obvious or has been verified by a project member).
• New feature request.

Defect/Feature description

The WBA is currently speccing out the privacy implications for both OpenRoaming Settled (ORS) and OpenRoaming Settlement-Free (ORSF). Since eduroam is only interested in ORSF and discussions there have been to preserve the user's wish whether they want to be identified or not, the CAT profile should enforce this from the admin configuration side.

So, admin interface should disable the following Hotspot 2.0-related options in the 'Media Properties' in a profile if that proflle's 'Enable Anonymous Outer Identity' or 'Use special Outer Identity for realm checks' options (collectively the Outer Identity Handling options) are not selected:

'Additional HS2.0 Consortium OI' (additional RCOIs, including those from the calculator below)
'OpenRoaming' (eduroam's own RCOI)

See https://wireless-broadband-alliance.github.io/OR-rcoi-config/ for the RCOIs for anonymous use.

Expected behaviour

• If either Outer Identity Handling option is unselected, do not display 'OpenRoaming' in the list of 'Media Properties', OR allow the addition of 'OpenRoaming', but then flag up as disallowed in the post-Save check. In the case of 'Additional HS2.0 Consortium OI', only the latter option makes sense (flagging up as disallowed because the RCOI added requires privacy preservation). The latter option allows admins to add RCOIs that are not WBA-specific (and RCOIs such as the non-privacy-preserving ones from the calculator above could technically be added).

• If either Outer Identity Handling option is selected but no values are supplied, CAT's existing behaviour of using an RFC7542-compliant outer identity will be used, which also preserves privacy, and the Hotspot 2.0-related options above should be selectable/addable to the profile.

• If a profile contains either or both of the above Hotspot 2.0-related options, and all Outer Identity Handling options are modified to be unselected, the lack of compliance should be flagged up in the post-Save check as in the first option.

Relevant information

The discussions are part of the WBA's Roaming Work Group. Relevant information is "WRIX-N Network and AAA Focus v3.3.0". Document (and CR discussing the changes) can be provided to eduroam's WBA reps in accordance with the WBA IPR policy.

[spaetow]

There is currently some additional discussion surrounding the use of EAP-TLS as an authentication method, which currently is not privacy-preserving (because the client certificate contains the user's details in itself), and the compatibility with the above. To provide a modicum of 'first glance' privacy, maybe the outer identity could be set to an anonymous identifier, however, how that interacts with the implementation of EAP-TLS on the IdP end is not yet (as of 29/02/24) known.