This is all well and good and I accept that different institutions have different requirements. How is EAP-TLS which requires a client certificate any better than EAP-PEAP which while using username/password is in a Microsoft setting not worse than setting at your wired machine to login? Unless your organization requires client side certs on your wired machines; then I don’t see the difference? Your point is well founded in that not required server certificate validation does open up to MITM attacks for PEAP but to summarily declare EAP-TLS superior because it uses client certificates seems to miss the point.
If I come onto your institution then I would have to accept your certificate chain to be granted access. Why should I trust your chain over a major CA provider? Obviously, you have the control and authority to insist on whatever access conditions that you find acceptable, but in my case I don’t and I use third-party certs since they are acceptable by practically every device. To change the question slightly, What are organizations using for large private PKI? Microsoft CA? OpenSSL? What are organizations doing to onboard non-owned devices to accept this foreign cert chain? Thank you in advance for a responses to a difficult and troubling subject Todd Smith From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Correct, some versions of operating systems do not support a self-signed EAP server certificates. It is also just a bad idea as you can’t renew it without re-onboarding devices. If you use at least 1 issuer, you can cycle the certificate without updating clients. PEAP (and EAP-TTLS) should never be used on unmanaged devices unless a security assessment has been done and its been determined that credential exposure is an acceptable risk to the organization. I feel like this conversation surfaces multiple times per year. So here’s the summary: If able, EAP-TLS should be used for all user-centric device network access. This then implies an organizationally controlled PKI is used to issue the EAP server certificate. If EAP-TLS is not feasible and a legacy, known vulnerable EAP method like PEAP is going to be used, it is highly recommended that a supplicant provisioning wizard be used. This would also use an organizationally controlled PKI for the EAP server certificate. Your information security team should determine whether credential exposure is an acceptable risk for the organization. If EAP-TTLS/PAP or EAP-TTLS/MSCHAPv2 are used, a supplicant provisioning wizard is required for Apple operating systems. This would also use an organizationally controlled PKI for the EAP server certificate. Your information security team should determine whether credential exposure is an acceptable risk for the organization. If you decide to use an EAP server certificate from a public CA, expect problems every year. General summary Always use a PKI in your control for the EAP server identity so you’re able to renew the server certificate without any risk of a chain change or enforcement of restrictions intended for browsers If you must use legacy password-based authentication, use a supplicant provisioning wizard (but realize this does not remove all risk as you can’t force users to use it) If users configure their own supplicant for password-based authentication or blindly accept a certificate prompt, you should assume that their credentials have been comprised Also one quick update regarding Android: Android 11 will not restrict EAP server certificates to Chrome’s 1 year lifetime. tim From: Dennis Xu<mailto:d...@uoguelph.ca> Sent: Wednesday, August 19, 2020 12:12 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Hi Tim, Can you please further elaborate the issues with self-signed certs vs private CA signed certs besides the manageability stuffs? I understand some OSes cannot connect if using self-signed cert for PEAP authentication, unless using on-boarding solutions to configure them to trust the cert. I am not sure if the private CA signed cert makes any difference on this. Below is from the FreeRADIUS EAP configuration file: # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. Thanks, Dennis From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Mike Atkins Sent: Wednesday, August 19, 2020 11:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to ith...@uoguelph.ca<mailto:ith...@uoguelph.ca> Good clarification, thanks. In previous discussions, our identity group mentioned using PKI that they use for other systems. Note to self, be careful what you ask for. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 11:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Got it. Just to clarify, a self-signed EAP server certificate should never be used. A server certificate issued by a PKI under your control is the best deployment practice (which is not the same as a self-signed certificate). tim From: Mike Atkins<mailto:matk...@nd.edu> Sent: Wednesday, August 19, 2020 11:31 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Tim, We use the public certificates for users that do not use our onboarding utility. We use a public root certificate that is in pretty much all operating systems. Fortunately or unfortuanately, some operating systems still want to walk the entire chain so we onboard with the root and intermediate. Our information security group had concerns about users just accepting security prompts for certificates. Using a self-signed cert that expires far into the future sounds better each day. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Wednesday, August 19, 2020 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? If you’re already onboarding your users, why do you continue to use a public cert? A public EAP server cert should only be used when a “walk-up” enter your username/password experience is desired (of course that’s after your organization has decided that credential exposure is not a concern). Tim From: Mike Atkins<mailto:matk...@nd.edu> Sent: Wednesday, August 19, 2020 10:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? We were burnt last December by an updated cert with the same cert chain and still not trusted by some devices/operating systems. We learned documents that referenced changes to the default web browser on an operating system ended up with a modification in the operating system that matched the web browser's changed behavior. I think this is the same experience Christopher is referencing. We ended up having to re-onboard all of our devices at the very last minute. We spent more time than we should have to try to avoid onboarding devices mid-semester when our cert expired. (this happened right around finals of course) Our identity group is buying a cert to test with a month in advance. They then cancel/revoke that cert to get money back and then order the production cert. This is to best ensure we test with the right root/intermediate certificate authorities that will be on our production cert. We still lose about a week on the production cert between testing and install. Ideally, we would keep the yearly cert installation during the summer but time is against us. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Johnson, Christopher Sent: Wednesday, August 19, 2020 10:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? I think it's going to "depend" on each Operating System for the 802.1X authentications being affected. The information below is more of just an FYI on what I've observed (cause I imagine someone's going to say - If I'm going through the trouble of installing a public Root CA that already exists - then why not go ahead and use a Private CA). 1. Apple specifically states "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS." - so that makes me wonder if you install a public Root CA via a mobile config for example for iOS - does that exempt it from the 1 year limitation then? 2. Chrome OS though (at least from the behavior I've seen) you can't install a public Root that already exists on to the OS. I don't think I would trust those "possible exceptions though". One of the annoying things I felt with Android and Chromebook for certificate management was If I go into the device and "Disable/Turn Off the certificates/Set to Not Use" - then all portions of the Operating System should not use those certificates regardless. However, from what I saw, even if I disable some of the Public CAs - the wireless supplicant still seems to trust them. Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook and Twitter -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Tyler Sent: Wednesday, August 19, 2020 8:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? [This message came from an external source. If suspicious, report to ab...@ilstu.edu<mailto:ab...@ilstu.edu><mailto:ab...@ilstu.edu>] I was told by Sertigo that all commercial certs would be affected. We just bought the last 2 year expirations we could get away with for both 802.1x and https. The reason I am told has to do with so many smaller establishments that go out of business before their cert expires leaving the cert as a security vulnerability for consumers. I just wish there was a way to allow for the longer certs for those of us that have a long history of existence and stability. Such a pain. And I am told they are debating quarterly cert replacements in the future. That would turn cert management into a much bigger responsibility if that were to happen. Hopefully that doesn’t happen. And yes, if you want to manage EAP with your own self cert, I believe you can use a longer expiration. Tim -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Andrew Gallo Sent: Wednesday, August 19, 2020 8:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] New certificate expiration for certificates affecting 802.1X? Does anyone know if the new, shorter certificate expiration for TLS that Apple announced (and Google is following) will affect 802.1X authentication? Thanks -- ________________________________ Andrew Gallo The George Washington University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588747580&sdata=JyTqX7fgKwhAuwJh0eisqOhRrCklIcLC4FThQPD86Rc*3D&reserved=0__;JSUlJSUlJSUlJSUlJQ!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk98leEglQ$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588757531&sdata=GX4*2BKY6ffLO8igUIlg3uaPKWWFtqSO6*2BSMKZqu6MhtM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUl!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk9tNuKcYg$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588767486&sdata=2G0RYvMo1nimVZ91nCqHgLH9mDvH20cMlh0oyL9FDpQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJQ!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk94BrBDEc$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C174f3ee1f58546491eb208d8444d01da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637334444825739457&sdata=M3cLiVvxdMmZOn9buSdgXiv1IEu6KE9EcQVWkKlVxkk%3D&reserved=0 [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588767486&sdata=2G0RYvMo1nimVZ91nCqHgLH9mDvH20cMlh0oyL9FDpQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJQ!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk94BrBDEc$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588767486&sdata=2G0RYvMo1nimVZ91nCqHgLH9mDvH20cMlh0oyL9FDpQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJQ!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk94BrBDEc$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588777443&sdata=I31w8y5PbE85cEjkMYmU*2BQoWQh0Afp0wZDnSNOVe*2FfY*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUl!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk9ugYKPp4$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588777443&sdata=I31w8y5PbE85cEjkMYmU*2BQoWQh0Afp0wZDnSNOVe*2FfY*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUl!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk9ugYKPp4$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588787408&sdata=s5k8aLRgAOqcdxlNBMnWpMOqpR9R2pyOegkuF70A7hA*3D&reserved=0__;JSUlJSUlJSUlJSUlJQ!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk9XdhVhMA$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community [nam06.safelinks.protection.outlook.com]<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.educause.edu*2Fcommunity&data=02*7C01*7Ctim.cappalli*40MICROSOFT.COM*7C7c7bf97bbf244d5a574a08d8445aaf34*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637334503588787408&sdata=s5k8aLRgAOqcdxlNBMnWpMOqpR9R2pyOegkuF70A7hA*3D&reserved=0__;JSUlJSUlJSUlJSUlJQ!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk9XdhVhMA$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community [educause.edu]<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk9Ki-03_M$> ________________________________ EXTERNAL EMAIL NOTICE: This email did not originate at CAMC, exercise CAUTION in clicking LINKS or opening ATTACHMENTS. If you are not familiar with the SENDER, then consider deleting this message. If there is any doubt of this email’s legitimacy, use the Manage Unwanted toolbar in Outlook to report it as a suspicious email. Original Sender: owner-wireless-...@listserv.educause.edu<mailto:owner-wireless-...@listserv.educause.edu> Originating Country Name: United States ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community [educause.edu]<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!Mjz1FA!1xTtYDrGqQ2n0l7FUlGdN5dq9xNiENKPjxmfGwD3yhXjnvUl6zYgxHk9Ki-03_M$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community