Hello Marcel
Thank you for your answer.
On 11/23/2012 12:26 AM, Marcel Holtmann wrote:
Hi Filipe,
But in this case, since there is no need of certificate, shouldn't
connman be able to try to connect without it? I'm just saying it
because
when I try to connect to this network with an iPhone it connects
without
any certificate (it just ask if you want to accept a certificate) and
with an Android it just connect without even asking to accept a
certificate.
It is true that Android (and iPhone) asks you these questions when you
click on an 802.1x EAP network. Unfortunately they have to ask the use
up front before proceeding with the connection attempt, since the WiFi
network information from the Access Point does not contain any
information about the used EAP protocol. Thus they are as lost as
ConnMan what the EAP method of connecting to the network actually is.
Asking the user happens before anything starts connecting.
Android does that but not iPhone. iPhone just asks for the user/password,
tries to connect and shows a certificate that the user needs to accept. Do
you guess what they do?
The main problem is that, as we know, users doesn't care about this
certificates, eap protocols and so on. And if on iOS they are not asked
those informations, they expect the same in other devices.
Btw, what is this certificate for and why with connman and Android the user
don't need to accept it?
that last I have been told is that iOS on purpose does not check these
certificates against the global trusted certificates. Simple because non
of them are authorized for WiFi usage anyway.
So does connman always accept it? How is it handled?
The only get trusted if you provide your own CA via device management.
Also iOS is kinda stupid. They always show the username/password
question for the 802.1x networks. Even if that would not work. There are
networks that completely authorize by just using certificates.
Since there is no certificate the user expects to connect directly.
IMO
it's ugly to some Agent (or external program) to write a .config file
just so connman can recognize the service.
Whether any certificates exist or not needs a user decision as much as
the EAP method itself. Thus any UI trying to connect to an 802.1x EAP
network must prompt the user, give the information to ConnMan and then
connect. The current implementation in ConnMan is such that an EAP
network needs to be described as a .config file. Maybe it's less
implementation friendly to write a file with the needed information, but
it shouldn't be a too big obstacle since the UI has already received all
the needed (known) information from the user.
Some times the Agent will not have rights to write in /var/lib/connman or
whatever where connman is reading those files.
The agent should never have access to /var/lib/connman ever. If you do
that, then your security model is broken.
Well, you need to write there somehow. I said an Agent just for the sake
of the argument, but it's a external tool anyway.
What about writing there user/password credentials? Is there anyway to
secure the password in the .config file?
But I agree that knowing this information is not a problem to write a
.config file.
Another point is the fact that the Agent doesn't know when it should ask
those informations to the user. Perhaps by checking the service's security
property is ieee8021x?
I remember that there was a discussion here and Marcel Holtmann said that
Agents shouldn't ask this kind of information to the user, that's why there
is no API for that. But as we are discussing now we still need to ask that
in case of EAP. So there is clearly an inconsistency here.
I am totally fine if we ask username and password for 802.1x from the
user, but nothing more. To do that, we need to first know if username
and password would actually work in that case.
Is there anyway to know that? As you said, there are networks that works
fine with the certificate only.
Regards,
Felipe
_______________________________________________
connman mailing list
connman@connman.net
http://lists.connman.net/listinfo/connman
