Re: WPA problem and eduroam

["Miroslav Milinovic" <miro@xxxxxxx>]

Tomasz,

As you are probably guessing I am in favour of Stefan's proposal.

I also think that we are not in the situation in which one must react in 
next days or weeks. I think we still have couple of months ahead of us.
Nevertheless we should not sleep.

In danger on repeating myself:

> This is exactly where we differ and there is no telling which one of us
> is right, except that you are the one who is running the service :).

That actually is not an argument.

> I want to provide a good wireless service for our users. eduroam
> is our only local network. There are a lot of good reasons to keep it
> that way.

I am not questioning that.


> So what other option do I have?  Just one - start a local AES-only
> network, and this is exactly what I would want to avoid.

No. You can now publicly announce that in something like x months you'll 
migrate your service from TKIP to AES.
I see that as a best option. By the end of the day you want to get rid of 
TKIP at some point of time?

> > I do fear that by introducing eduroam2 we are making big step back
> > when it comes to the usability of the service. In time eduroam2 will
> > be common thing, eduroam SSID will "die", and WPA/AES will have a
> > successor ... what to do then (with SSIDs)?
> DOS, DOS 2.0, ... DOS 6.0, ... Windows 3.11, Windows 95, 98, 2000, XP,
> Vista ....,
> Peugeot 404, 5, 6, 7, 8 ....., IPv4, IPv6, WPA, WPA2 :)
>
> This is something people are used to. Higher number - better service.
> "Our new washing powder does even better job".
> eduroam2 is better then eduroam, and eduroam8 in 2050 will be MUCH
> better. :).

We definitely do not share the same opinion on this "branding staff". You 
listed several product names, but as we all know SSID is not that kind of 
identifier.

BTW I prefer Pegeout 507 to 1007 ;-)


> Would it really be such a big thing to add to the Policy:
> "Service providers MAY additionally deploy the SSID "eduroam2". This
> SSID MUST be protected by WPA2/AES encryption."


IMHO yes, becouse it opens dangerous posibillity that we have different 
eduroam flavours accompanied with different SSIDs. And chiphers are not the 
only point in which we can think of various eduroam flavours ...

Miro