| blob | f5f342eae7ac08dbc8f077a4eb13ea1414d90f30 |
2 <html>
3 <head>
8 </head>
9 <body>
17 </section>
19 <section>
21 <p>
22 We would like to create a simple, open, but complete format to describe
23 multiple network configurations for WiFi, Ethernet, Cellular,
24 Bluetooth/WiFi-Direct, and VPN connections in a single file format, in order
25 to simplify and automate network configuration for users.
26 </p>
27 </section>
29 <section>
31 <p>
32 Configuring networks is a painful and error-prone experience for users. It
33 is a problem shared across desktop, laptop, tablet, and phone users of all
34 operating system types. It is exacerbated in business and schools which
35 often have complex network configurations (VPNs and 802.1X networking) that
36 change often and have many connected devices. Configuration of WiFi is
37 still done manually, often by administrators physically standing next to
38 users working on devices. Certificate distribution is particularly painful
39 which often results in admins instead using passphrases to protect networks
40 or using protocols without client certificates that instead use LDAP
41 passwords for authentication. Even after networks are configured, updates to
42 the network configuration require another round of manual changes, and
43 accidental changes by a user or malicious changes by an attacker can break
44 connectivity or make connections less private or secure.
45 </p>
47 <section>
49 <p>
50 We propose a single-file format for network configuration that is
51 human-readable, can describe all of the common kinds of network
52 configurations, supports integrity checking, certificate and key
53 provisioning, and updating. The file can be encrypted with a single
54 passphrase so that upon entering the passphrase the entire configuration is
55 loaded. The format can be described as an open format to enable multiple OS
56 vendors to interoperate and share configuration editors.
57 </p>
59 <p>
60 This format neither supports configuring browser settings nor allows setting
61 other types of system policies.
62 </p>
63 </section>
65 <section>
67 <p>
68 A standalone configuration editor will be created, downloadable as a Chrome
69 app. This editor will allow creating, modifying, and encrypting an open
70 network configuration file in a way that is intuitive for a system
71 administrator.
72 </p>
74 <p>
75 This file format may be delivered to a user and manually imported into a
76 device.
77 </p>
79 <p>
80 This file format may be created by an administrator, stored in a policy
81 repository, and automatically pushed to a device.
82 </p>
83 </section>
85 </section>
87 <section>
89 <p>
90 We use JSON format for the files. The fields in a JSON file are always
91 case-sensitive, so the exact case of the fields in this section must be
92 matched. In addition, the values that are called out as explicit constants
93 must also match the case specified (e.g. WiFi must not be written as wifi,
94 etc.). This document describes a minimum set of required fields and optional
95 fields. Other fields may be created, however, see the
96 implementation-specific fields for guidelines for these fields.
97 </p>
99 <p>
100 The JSON consists of a top level dictionary containing
104 </p>
106 <p>
108 type, see the section on Encrypted Configuration
110 an unencrypted JSON object.
111 </p>
113 <section>
115 <p>
116 This format allows for importing updated network configurations and
117 certificates by providing GUIDs to each network configuration and
118 certificate so they can be modified or even removed in future updates.
119 </p>
121 <p>
122 GUIDs are non-empty strings that are meant to be stable and unique. When
123 they refer to the same entity, they should be the same between ONC files. No
124 two different networks or certificates should have the same GUID, similarly
125 a network and certificate should not have the same GUID. A single ONC file
126 should not contain the same entity twice (with the same GUID). Failing any
127 of these tests indicates the ONC file is not valid.
128 </p>
130 <p>
131 Any GUID referred to in an ONC file must be present in the same ONC file. In
132 particular, it is an error to create a certificate in one ONC file and refer
133 to it in a NetworkConfiguration in another ONC file and not define it there,
134 even if the previous ONC file has been imported.
135 </p>
136 </section>
138 <section>
140 <p>
141 As there are many different kinds of connections and some that are not yet
142 anticipated may require new fields. This format allows arbitrary other
143 fields to be added.
144 </p>
146 <p>
147 Fields and values should follow these general guidelines:
148 </p>
150 <ul>
151 <li>
152 Certificates (with and without keys) should always be placed in the
153 certificate section - specifically certificate contents should not be
154 placed in fields directly. Referring to certificates should be done using
155 a field whose name ends in Ref and whose value is the GUID of the
156 certificate, or if the certificate is not contained in this file, its
157 pattern can be described using a field ending in Pattern of
159 </li>
160 <li>
161 Fields should exist in the most-specific object in the hierarchy and
162 should be named CamelCase style.
163 </li>
164 <li>
165 Booleans and integers should be used directly instead of using a
166 stringified version of the type.
167 </li>
168 </ul>
170 <p>
171 Any editor of network configuration information should allows the user to
172 modify any fields that are implementation-specific. It may not be present
173 directly in the UI but it should be able to import files with such settings
174 and leave preserve these settings on export.
175 </p>
176 </section>
178 <section>
180 <p>
185 following:
186 </p>
190 <dd>
193 </span>)
195 </span>
197 </dd>
200 <dd>
202 (optional)
204 </span>
205 Describes WiFi, Ethernet, VPN, and wireless connections.
206 </dd>
209 <dd>
211 (optional)
213 </span>
215 </dd>
216 </dl>
218 At least one actual configuration field
221 not be considered an error if no such field is present.
223 <section>
225 <p>
229 the following:
230 </p>
234 <dd>
239 </span>
240 Ethernet settings.
241 </dd>
244 <dd>
246 (required)
248 </span>
249 A unique identifier for this network connection, which exists to make it
250 possible to update previously imported configurations. Must be a non-empty
251 string.
252 </dd>
255 <dd>
262 </span>
267 </span>
268 Determines whether the IP Address configuration is statically configured,
270 using DHCP.
271 </dd>
274 <dd>
281 </span>
286 </span>
287 Determines whether the NameServers configuration is statically configured,
289 using DHCP.
290 </dd>
293 <dd>
295 (optional for connected networks, read-only)
297 </span>
298 Array of IPConfig properties associated with this connection.
299 </dd>
302 <dd>
308 </span>
309 Each property set in this IPConfig object overrides the respective
310 parameter received over DHCP.
316 is required.
317 </dd>
320 <dd>
322 (optional for connected networks, read-only)
324 </span>
325 IPConfig property containing the configuration that was received from the
326 DHCP server prior to applying any StaticIPConfig parameters.
327 </dd>
330 <dd>
335 </span>
336 A user-friendly description of this connection. This name will not be used
337 for referencing and may not be unique. Instead it may be used for
338 describing the network to the user.
339 </dd>
342 <dd>
346 </span>
347 If set, remove this network configuration (only GUID should be set).
348 </dd>
351 <dd>
356 </span>
357 Proxy settings for this network
358 </dd>
361 <dd>
366 </span>
367 VPN settings.
368 </dd>
371 <dd>
376 </span>
377 WiFi settings.
378 </dd>
381 <dd>
386 </span>
387 WiMAX settings.
388 </dd>
391 <dd>
396 </span>
397 Cellular settings.
398 </dd>
401 <dd>
406 </span>
412 </span>
413 Indicates which kind of connection this is.
414 </dd>
417 <dd>
419 (optional, read-only)
421 </span>
422 The current connection state for this network, provided by the system.
425 Allowed values are:
429 </span>
430 </dd>
433 <dd>
437 </span>
438 True if a connnected network has limited connectivity to the Internet,
439 e.g. a connection is behind a portal or a cellular network is not
440 activated or requires payment.
441 </dd>
444 <dd>
446 (optional, read-only)
448 </span>
449 True if the system indicates that the network can be connected to without
450 any additional configuration.
451 </dd>
454 <dd>
456 (optional, read-only)
458 </span>
459 The current error state for this network, if any. Error states are
460 provided by the system and are not explicitly defined here. They may or
461 may not be human-readable. This field will be empty or absent if the
462 network is not in an error state.
463 </dd>
466 <dd>
468 (optional, read-only)
470 </span>
471 The MAC address for the network. Only applies to connected non-virtual
473 </dd>
476 <dd>
478 (optional, read-only)
480 </span>
481 Indicates whether the network is configured and how it is configured:
482 <ul>
484 user only, i.e. an unshared configuration.</li>
486 device (e.g laptop), i.e. a shared configuration.</li>
488 policy for the active user.</li>
490 policy for the device.</li>
492 but unconfigured WiFi network.</li>
493 </ul>
496 Allowed values are:
502 </span>
503 </dd>
506 <dd>
508 (optional)
510 </span>
511 Provides a suggested priority value for this network. May be used by the
512 system to determine which network to connect to when multiple configured
513 networks are available (or may be ignored).
514 </dd>
516 </dl>
518 <section>
520 <p>
525 </p>
529 <dd>
531 (optional)
533 </span>
538 </span>
539 </dd>
542 <dd>
547 </span>
548 EAP settings.
549 </dd>
550 </dl>
551 </section>
553 <section>
555 <p>
557 actual IP configuration of a connected network (see
561 </p>
565 <dd>
567 (required)
569 </span>
574 </span>
575 Describes the type of configuration this is.
576 </dd>
579 <dd>
581 (optional)
583 </span>
584 Describes the IPv4 or IPv6 address of a connection, depending on the value
586 routing prefix (i.e. should not end in something like /64).
587 </dd>
590 <dd>
593 ignored.)
595 </span>
599 addresses.
600 </span>
601 Describes the routing prefix.
602 </dd>
605 <dd>
608 ignored.)
610 </span>
611 Describes the gateway address to use for the configuration. Must match
613 specified, DHCP values will be used.
614 </dd>
617 <dd>
619 (optional)
621 </span>
622 Array of addresses to use for name servers. Address format must match that
624 DHCP values will be used.
625 </dd>
628 <dd>
630 (optional)
632 </span>
633 Array of strings to append to names for resolution. Items in this array
636 be used.
637 </dd>
640 <dd>
644 </span>
645 The Web Proxy Auto-Discovery URL for this network as reported over DHCP.
646 </dd>
648 </dl>
649 </section>
651 <section>
653 <p>
658 </p>
662 <dd>
666 </span>
667 Indicaties if ARP polling of default gateway is allowed.
668 When it is allowed, periodic ARP messages will be sent to
669 the default gateway. This is used for monitoring the status
670 of the current connection.
671 </dd>
674 <dd>
678 </span>
679 Indicating that the network should be connected to automatically when in
680 range.
681 </dd>
684 <dd>
690 </span>
691 EAP settings.
692 </dd>
695 <dd>
700 </span>
701 Hex representation of the network's SSID.
702 </dd>
705 <dd>
709 </span>
710 Indicating if the SSID will be broadcast.
711 </dd>
714 <dd>
720 </span>
721 Describes the passphrase for WEP/WPA/WPA2
725 </dd>
728 <dd>
730 (optional)
732 </span>
733 The roam threshold for this network, which is the signal-to-noise value
734 (in dB) below which we will attempt to roam to a new network. If this
735 value is not set, the default value will be used.
736 </dd>
739 <dd>
741 (required)
743 </span>
751 </span>
752 </dd>
755 <dd>
758 ignored)
760 </span>
761 Property to access the decoded SSID of a network.<br/>
763 its value will be UTF-8 encoded and the hex representation will be
766 When reading the configuration of a network, both this field and
769 decoded using UTF-8, otherwise an encoding is guessed on a best effort
770 basis.
771 </dd>
774 <dd>
776 (optional, read-only)
778 </span>
780 provided by the system. If the network is not in range this field will
781 be set to '0' or not present.
782 </dd>
783 </dl>
789 are set, the values must be consistent.
790 </span>
791 </span>
792 </section>
794 <section>
796 <p>
797 There are many kinds of VPNs with widely varying configuration options. We
798 offer standard configuration options for a few common configurations at this
799 time, and may add more later. For all others, implementation specific fields
800 should be used.
801 </p>
803 <p>
808 </p>
812 <dd>
816 </span>
817 Indicating that the network should be connected to automatically.
818 </dd>
821 <dd>
823 (optional)
825 </span>
826 Host name or IP address of server to connect to. The only scenario that
827 does not require a host is a VPN that encrypts but does not tunnel
828 traffic. Standalone IPsec (v1 or v2, cert or PSK based -- this is not the
829 same as L2TP over IPsec) is one such setup. For all other types of VPN,
831 </dd>
834 <dd>
840 </span>
841 IPsec layer settings.
842 </dd>
845 <dd>
850 </span>
851 L2TP layer settings.
852 </dd>
855 <dd>
860 </span>
861 OpenVPN settings.
862 </dd>
865 <dd>
870 </span>
871 Third-party VPN provider settings.
872 </dd>
875 <dd>
877 (required)
879 </span>
886 </span>
887 Type of the VPN.
888 </dd>
889 </dl>
891 <section>
893 <p>
895 </p>
899 <dd>
901 (required)
903 </span>
907 <span class="value">Cert</span>. If <span class="value">Cert</span> is used, <span class="field">ClientCertType</span> and <span class="field">ServerCARefs</span> (or the deprecated <span class="field">ServerCARef</span>) must be set.
908 </span>
909 </dd>
912 <dd>
917 </span>
918 Pattern describing the client certificate.
919 </dd>
922 <dd>
927 </span>
928 Reference to client certificate stored in certificate section.
929 </dd>
932 <dd>
937 </span>
942 </span>
943 </dd>
946 <dd>
949 ignored)
951 </span>
952 Indicating that EAP authentication should be used with the provided
953 parameters.
954 </dd>
957 <dd>
960 ignored)
962 </span>
963 Group name used for machine authentication.
964 </dd>
967 <dd>
969 (required)
971 </span>
972 Version of IKE protocol to use.
973 </dd>
976 <dd>
981 </span>
982 Pre-Shared Key. If not specified, user is prompted at time of
983 connection.
984 </dd>
987 <dd>
993 </span>
995 (PSK) each time they connect.
996 </dd>
999 <dd>
1004 </span>
1005 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset.
1006 </dd>
1009 <dd>
1014 </span>
1016 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
1017 </dd>
1020 <dd>
1023 ignored)
1025 </span>
1026 Describing XAUTH credentials. XAUTH is not used if this object is not
1027 present.
1028 </dd>
1029 </dl>
1033 If <span class="field">AuthenticationType</span> is set to <span class="value">Cert</span>, <span class="field">ServerCARefs</span> or <span class="field">ServerCARef</span> must be set.
1034 </p>
1038 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1039 </p>
1041 <p>
1043 </p>
1047 <dd>
1051 </span>
1052 Disable L2TP connection monitoring via PPP LCP frames. This
1053 allows the VPN client to work around server implementations
1054 that do not support the LCP echo feature.
1055 </dd>
1058 <dd>
1060 (optional)
1062 </span>
1063 User authentication password. If not specified, user is prompted at time
1064 of connection.
1065 </dd>
1068 <dd>
1072 </span>
1074 each time they connect.
1075 </dd>
1078 <dd>
1080 (optional)
1082 </span>
1083 User identity. This value is subject to string expansions. If not
1084 specified, user is prompted at time of connection.
1085 </dd>
1086 </dl>
1088 <p>
1090 </p>
1094 <dd>
1096 (optional)
1098 </span>
1099 XAUTH password. If not specified, user is prompted at time of
1100 connection.
1101 </dd>
1104 <dd>
1108 </span>
1110 each time they connect.
1111 </dd>
1114 <dd>
1116 (optional)
1118 </span>
1119 XAUTH user name. This value is subject to string expansions. If not
1120 specified, user is prompted at time of connection.
1121 </dd>
1122 </dl>
1124 <section>
1126 <p>
1129 must be 1. Do not use this for L2TP over IPsec. This may be used for
1130 machine-authentication-only IKEv1 or for IKEv1 with XAUTH. See
1132 </p>
1133 </section>
1135 <section>
1137 <p>
1140 must be 2. This may be used with EAP-based user authentication.
1141 </p>
1142 </section>
1144 <section>
1146 <p>
1147 There are two major configurations L2TP over IPsec which depend on how IPsec
1150 </p>
1152 <p>
1153 L2TP over IPsec with pre-shared key:
1154 </p>
1156 <ul>
1158 following settings:
1159 <ul>
1163 </ul>
1164 </li>
1166 </ul>
1167 </section>
1169 </section>
1171 <section>
1173 <p>
1176 </p>
1178 <p>
1180 </p>
1184 <dd>
1188 </span>
1189 </dd>
1192 <dd>
1196 </span>
1202 </span>
1203 Controls how OpenVPN responds to username/password verification
1204 errors:<br> Either fail with error on retry
1208 </dd>
1211 <dd>
1215 </span>
1216 Disable caching of credentials in memory.
1217 </dd>
1220 <dd>
1224 </span>
1225 Cipher to use.
1226 </dd>
1229 <dd>
1234 </span>
1235 Reference to client certificate stored in certificate section.
1236 </dd>
1239 <dd>
1244 </span>
1245 Pattern to use to find the client certificate.
1246 </dd>
1249 <dd>
1251 (required)
1253 </span>
1258 </span>
1260 not require client certificates.
1261 </dd>
1264 <dd>
1268 </span>
1271 </dd>
1274 <dd>
1278 </span>
1279 Disables adaptive compression.
1280 </dd>
1283 <dd>
1287 </span>
1288 Omits a default route to the VPN gateway while the connection is active.
1289 By default, the client creates a default route to the gateway address
1290 advertised by the VPN server. Setting this value to
1292 configurations where the VPN server omits explicit default routes.
1293 This is roughly equivalent to omitting "redirect-gateway" OpenVPN client
1294 configuration option. If the server pushes a "redirect-gateway"
1295 configuration flag to the client, this option is ignored.
1296 </dd>
1299 <dd>
1301 (optional)
1303 </span>
1304 Passed as --key-direction.
1305 </dd>
1308 <dd>
1310 (optional)
1312 </span>
1313 If set, checks peer certificate type. Should only be set
1315 </dd>
1318 <dd>
1323 defaults to empty string)
1325 </span>
1328 and this field is not set, the user will be asked for an OTP.
1329 The OTP is never persisted and must be provided on every connection
1330 attempt.
1331 </dd>
1334 <dd>
1339 defaults to empty string)
1341 </span>
1345 will be asked for a password.
1348 connection attempts. Otherwise it is not persisted but might still be
1349 reused for consecutive connection attempts (opposed to an OTP, which will
1350 never be reused).
1351 </dd>
1354 <dd>
1358 </span>
1359 Port for connecting to server.
1360 </dd>
1363 <dd>
1367 </span>
1368 Protocol for communicating with server.
1369 </dd>
1372 <dd>
1376 </span>
1377 </dd>
1380 <dd>
1382 (optional)
1384 </span>
1385 Require that the peer certificate was signed with this explicit extended
1386 key usage in oid notation.
1387 </dd>
1390 <dd>
1392 (optional, defaults to [])
1394 </span>
1395 Require the given array of key usage numbers. These are strings that are
1396 hex encoded numbers.
1397 </dd>
1400 <dd>
1404 </span>
1409 </span>
1410 Require peer certificate signing based on RFC3280 TLS rules.
1411 </dd>
1414 <dd>
1418 </span>
1419 Renegotiate data channel key after this number of seconds.
1420 </dd>
1423 <dd>
1427 </span>
1429 each time they connect.
1430 </dd>
1433 <dd>
1435 (optional)
1437 </span>
1438 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. See also OpenVPN's command line option "--ca". If this field is set, <span class="field">ServerCARef</span> must be unset.
1439 </dd>
1442 <dd>
1444 (optional)
1446 </span>
1448 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
1449 </dd>
1452 <dd>
1454 (optional)
1456 </span>
1457 Reference to a certificate. Peer's signed certificate.
1458 </dd>
1461 <dd>
1463 (optional)
1465 </span>
1466 Spend no more than this number of seconds before trying the next server.
1467 </dd>
1470 <dd>
1472 (optional)
1474 </span>
1475 If not specified no bandwidth limiting, otherwise limit bandwidth of
1476 outgoing tunnel data to this number of bytes per second.
1477 </dd>
1480 <dd>
1482 (optional)
1484 </span>
1485 String is used in static challenge response. Note that echoing is always
1486 done.
1487 </dd>
1490 <dd>
1492 (optional)
1494 </span>
1495 If not set, tls auth is not used. If set, this is the TLS Auth key
1496 contents (usually starts with "-----BEGIN OpenVPN Static Key..."
1497 </dd>
1500 <dd>
1502 (optional)
1504 </span>
1505 If set, only allow connections to server hosts with X509 name or common
1506 name equal to this string.
1507 </dd>
1510 <dd>
1514 </span>
1521 </span>
1522 Determines the required form of user authentication:
1523 <ul><li>
1525 and an OTP (possibly empty). Both will be send to the server in the
1526 'password' response using the SCRv1 encoding.
1527 </li><li>
1529 which will be send without modification to the server in the 'password'
1530 response (no CRv1 or SCRv1 encoding).
1531 </li><li>
1533 will be send without modification to the server in the 'password'
1534 response (no CRv1 or SCRv1 encoding).
1535 </li><li>
1537 No password request from the server is expected.
1538 </li></ul>
1539 If not set, the user can provide a password and an OTP (both not
1540 mandatory) and the network manager will send both in the SCRv1 encoding,
1541 when the server sends a static-challenge. If the server does not send a
1542 static-challenge, the client will reply with only the password (without
1543 any encoding). This behavior is deprecated and new configurations should
1544 explicitly set one of the above values.
1548 </dd>
1551 <dd>
1553 (optional)
1555 </span>
1556 OpenVPN user name. This value is subject to string expansions. If not
1557 specified, user is prompted at time of connection.
1558 </dd>
1561 <dd>
1563 (optional)
1565 </span>
1566 Verbosity level, defaults to OpenVpn's default if not specified.
1567 </dd>
1570 <dd>
1572 (optional)
1574 </span>
1575 If set, this value is passed as the "--verify-hash" argument to OpenVPN,
1576 which specifies the SHA1 fingerprint for the level-1 certificate.
1577 </dd>
1580 <dd>
1582 (optional)
1584 </span>
1585 If set, the "--verify-x509-name" argument is passed to OpenVPN with the values of this object and only connections will be accepted if a host's X.509 name is equal to the given name.
1586 </dd>
1587 </dl>
1591 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1592 </p>
1594 <p>
1596 </p>
1599 <dd>
1601 (required)
1603 </span>
1604 The name that the host's X.509 name is compared to. Which host name is compared depends on the value of <span class="field">Type</span>.
1605 </dd>
1608 <dd>
1610 (optional)
1612 </span>
1613 Determines which of the host's X.509 names will be verified. Allowed values are <span class="value">name</span>, <span class="value">name-prefix</span> and <span class="value">subject</span>. See OpenVPN's documentation for "--verify-x509-name" for the meaning of each value. Defaults to OpenVPN's default if not specified.
1614 </dd>
1615 </dl>
1616 </section>
1618 <section>
1620 <p>
1623 </p>
1625 <p>
1627 </p>
1631 <dd>
1633 (required)
1635 </span>
1636 The extension ID of the third-party VPN provider used by this network.
1637 </dd>
1639 <dd>
1641 (optional, read-only)
1643 </span>
1644 The name of the third-party VPN provider used by this network.
1645 </dd>
1646 </dl>
1647 </section>
1649 </section>
1651 <section>
1653 <p>
1654 In order to allow clients to securely key their private keys and request
1655 certificates through PKCS#10 format or through a web flow, we provide
1656 alternative CertificatePattern types. The
1658 </p>
1662 <dd>
1664 (optional)
1666 </span>
1667 Array of references to certificates. At least one must have signed the
1668 client certificate.
1669 </dd>
1672 <dd>
1674 (optional)
1676 </span>
1677 Pattern to match the issuer X.509 settings against. If not specified, the
1678 only checks done will be a signature check against
1680 certificate must match this field exactly to match the pattern.
1681 </dd>
1684 <dd>
1686 (optional)
1688 </span>
1689 Pattern to match the subject X.509 settings against. If not specified, the
1690 subject settings are not checked and any certificate matches. Subject of
1691 the certificate must match this field exactly to match the pattern.
1692 </dd>
1695 <dd>
1697 (optional)
1699 </span>
1700 If no certificate matches this CertificatePattern, the first URI from this
1701 array with a recognized scheme is navigated to, with the intention this
1702 informs the user how to either get the certificate or gets the certificate
1703 for the user. For instance, the array may be [
1704 "chrome-extension://asakgksjssjwwkeielsjs/fetch-client-cert.html",
1705 "http://intra/connecting-to-wireless.html" ] so that for Chrome browsers a
1706 Chrome app or extension is shown to the user, but for other browsers, a
1707 web URL is shown.
1708 </dd>
1709 </dl>
1711 <p>
1713 following:
1714 </p>
1718 <dd>
1720 (optional)
1722 </span>
1723 Certificate subject's commonName must match this string if present.
1724 </dd>
1727 <dd>
1729 (optional)
1731 </span>
1732 Certificate subject's location must match this string if present.
1733 </dd>
1736 <dd>
1738 (optional)
1740 </span>
1741 At least one of certificate subject's organizations must match this string
1742 if present.
1743 </dd>
1746 <dd>
1748 (optional)
1750 </span>
1751 At least one of certificate subject's organizational units must match this
1752 string if present.
1753 </dd>
1754 </dl>
1761 to be valid.
1762 </p>
1764 <p>
1765 For a certificate to be considered matching, it must match all
1766 the fields in the certificate pattern. If multiple certificates match, the
1767 certificate with the latest issue date that is still in the past, and hence
1768 valid, will be used.
1769 </p>
1771 <p>
1773 found to this pattern, the importing tool may show an error to the user.
1774 </p>
1775 </section>
1777 <section>
1779 <p>
1780 Every network can be configured to use a
1782 following:
1783 </p>
1787 <dd>
1789 (required)
1791 </span>
1797 </span>
1800 </dd>
1803 <dd>
1808 </span>
1809 Manual proxy settings.
1810 </dd>
1813 <dd>
1818 </span>
1819 Domains and hosts for which to exclude proxy settings.
1820 </dd>
1823 <dd>
1828 </span>
1829 URL of proxy auto-config file.
1830 </dd>
1831 </dl>
1833 <p>
1835 following:
1836 </p>
1840 <dd>
1842 (optional)
1844 </span>
1845 settings for HTTP proxy.
1846 </dd>
1849 <dd>
1851 (optional)
1853 </span>
1854 settings for secure HTTP proxy.
1855 </dd>
1858 <dd>
1860 (optional)
1862 </span>
1863 settings for FTP proxy
1864 </dd>
1867 <dd>
1869 (optional)
1871 </span>
1872 settings for SOCKS proxy.
1873 </dd>
1874 </dl>
1876 <p>
1878 </p>
1882 <dd>
1884 (required)
1886 </span>
1887 Host (or IP address) to use for proxy
1888 </dd>
1891 <dd>
1893 (required)
1895 </span>
1896 Port to use for proxy
1897 </dd>
1898 </dl>
1899 </section>
1901 <section>
1903 <p>
1905 type exists to configure the
1907 following:
1908 </p>
1912 <dd>
1916 otherwise ignored)
1918 </span>
1919 For tunnelling protocols only, this indicates the identity of the user
1920 presented to the outer protocol. This value is subject to string
1921 expansions. If not specified, use empty string.
1922 </dd>
1925 <dd>
1930 </span>
1931 Pattern to use to find the client certificate.
1932 </dd>
1935 <dd>
1940 </span>
1941 Reference to client certificate stored in certificate section.
1942 </dd>
1945 <dd>
1948 </span>
1953 </span>
1954 </dd>
1957 <dd>
1959 (optional)
1961 </span>
1962 Identity of user. For tunneling outer protocols
1966 the EAP identity outside the tunnel. For non-tunneling outer protocols,
1967 this is used for the EAP identity. This value is subject to string
1968 expansions.
1969 </dd>
1972 <dd>
1979 </span>
1986 </span>
1987 For tunneling outer protocols.
1988 </dd>
1991 <dd>
1993 (required)
1995 </span>
2002 </span>
2003 </dd>
2006 <dd>
2008 (optional)
2010 </span>
2011 Password of user. If not specified, defaults to prompting the user.
2012 </dd>
2015 <dd>
2019 </span>
2025 </dd>
2028 <dd>
2030 (optional)
2032 </span>
2033 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
2034 </dd>
2037 <dd>
2039 (optional)
2041 </span>
2043 Reference to a CA certificate in <span class="field">Certificates</span>. If this field is set, <span class="field">ServerCARefs</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
2044 </dd>
2047 <dd>
2051 </span>
2052 Required server certificate to be signed by "system default certificate
2053 authorities". If both <span class="field">ServerCARefs</span> (or <span class="field">ServerCARef</span>)
2055 certificate will be allowed if it either has a chain of trust to a system
2057 is <span class="value">false</span>, and no <span class="field">ServerCARef</span> is set, the certificate
2058 must be a self signed certificate, and no CA signature is required.
2059 </dd>
2062 <dd>
2066 </span>
2067 Indicates whether Proactive Key Caching (also known as Opportunistic
2068 Key Caching) should be used on a per-service basis.
2069 </dd>
2070 </dl>
2074 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
2075 </p>
2076 </section>
2078 <section>
2080 <p>
2085 representing an existing configuration; ONC configuration of
2087 Contains the following fields:
2088 </p>
2092 <dd>
2096 </span>
2097 Indicating that the network should be connected to automatically when
2098 possible.
2099 </dd>
2102 <dd>
2104 (required)
2106 </span>
2107 EAP settings.
2108 </dd>
2111 <dd>
2113 (optional, read-only)
2115 </span>
2117 provided by the system. If the network is not in range this field will
2118 be set to '0' or not present.
2119 </dd>
2120 </dl>
2122 </section>
2124 <section>
2126 <p>
2131 representing an existing configuration; ONC configuration of
2133 Contains the following fields:
2134 </p>
2138 <dd>
2142 </span>
2143 Indicating that the network should be connected to automatically when
2145 takes precedence over autoconnect.
2146 </dd>
2149 <dd>
2152 </span>
2154 GSM carrier for making data connections.
2155 </dd>
2158 <dd>
2161 </span>
2162 List of available APN configurations.
2163 </dd>
2166 <dd>
2169 </span>
2170 Activation type.
2171 </dd>
2174 <dd>
2177 </span>
2178 Carrier account activation state.
2185 </span>
2186 </dd>
2189 <dd>
2192 </span>
2193 Whether cellular data connections are allowed when the device is roaming.
2194 </dd>
2197 <dd>
2200 </span>
2201 The name of the carrier for which the device is configured.
2202 </dd>
2205 <dd>
2208 </span>
2209 The Electronic Serial Number of the cellular modem.
2210 </dd>
2213 <dd>
2216 </span>
2217 Technology family.
2219 Allowed values are
2222 </span>
2223 </dd>
2226 <dd>
2229 </span>
2230 The revision of firmware that is loaded in the modem.
2231 </dd>
2234 <dd>
2238 </span>
2239 The list of cellular netwoks found in the most recent scan operation.
2240 </dd>
2243 <dd>
2246 </span>
2247 The hardware revision of the cellular modem.
2248 </dd>
2251 <dd>
2254 </span>
2255 Description of the operator that issued the SIM card currently installed
2256 in the modem.
2257 </dd>
2260 <dd>
2266 </span>
2267 For GSM / LTE modems, the Integrated Circuit Card Identifer of the SIM
2268 card installed in the device.
2269 </dd>
2272 <dd>
2275 </span>
2276 The International Mobile Equipment Identity of the cellular modem.
2277 </dd>
2280 <dd>
2284 </span>
2285 For GSM modems, the International Mobile Subscriber Identity of the SIM
2286 card installed in the device.
2287 </dd>
2290 <dd>
2293 </span>
2294 The APN information used in the last successful connection attempt.
2295 </dd>
2298 <dd>
2301 </span>
2302 The manufacturer of the cellular modem.
2303 </dd>
2306 <dd>
2309 </span>
2310 The Mobile Directory Number (i.e., phone number) of the device.
2311 </dd>
2314 <dd>
2318 </span>
2319 For CDMA modems, the Mobile Equipment Identifer of the cellular modem.
2320 </dd>
2323 <dd>
2326 </span>
2327 The Mobile Identification Number of the device.
2328 </dd>
2331 <dd>
2334 </span>
2335 The hardware model of the cellular modem.
2336 </dd>
2339 <dd>
2342 </span>
2343 If the modem is registered on a network, then this is set to the
2344 network technology currently in use.
2346 Allowed values are
2357 </span>
2358 </dd>
2361 <dd>
2364 </span>
2365 Properties describing the online payment portal (OLP) at which a user can
2366 sign up for or modify a mobile data plan.
2367 </dd>
2370 <dd>
2373 </span>
2374 The revision of the Preferred Roaming List that is loaded in the modem.
2375 </dd>
2378 <dd>
2381 </span>
2382 The roaming status of the cellular modem on the current network.
2387 </span>
2388 </dd>
2391 <dd>
2395 </span>
2396 Description of the operator on whose network the modem is currently
2397 registered
2398 </dd>
2401 <dd>
2405 </span>
2406 For GSM modems, a dictionary containing two properties describing the
2407 state of the SIM card lock.
2408 </dd>
2411 <dd>
2417 </span>
2418 For GSM or LTE modems, indicates whether a SIM card is present or not.
2419 </dd>
2422 <dd>
2425 </span>
2426 True if the cellular network supports scanning.
2427 </dd>
2430 <dd>
2433 </span>
2434 A list of supported carriers.
2435 </dd>
2437 </dl>
2442 <dd>
2445 </span>
2446 The access point name used when making connections.
2447 </dd>
2450 <dd>
2453 </span>
2454 Description of the APN.
2455 </dd>
2458 <dd>
2461 </span>
2462 Localized description of the APN.
2463 </dd>
2466 <dd>
2469 </span>
2470 Username for making connections if required.
2471 </dd>
2474 <dd>
2477 </span>
2478 Password for making connections if required.
2479 </dd>
2482 <dd>
2484 LocalizedName</span> is provided)
2486 </span>
2487 Two letter language code for Localizedname if provided.
2488 </dd>
2489 </dl>
2494 <dd>
2497 </span>
2498 The availability of the network.
2499 </dd>
2502 <dd>
2505 </span>
2506 The network id in the form MCC/MNC (without the '/').
2507 </dd>
2510 <dd>
2513 </span>
2514 Access technology used by the network,
2516 </dd>
2519 <dd>
2522 </span>
2523 Short-format name of the network operator.
2524 </dd>
2527 <dd>
2530 </span>
2531 Long-format name of the network operator.
2532 </dd>
2533 </dl>
2538 <dd>
2541 </span>
2543 </dd>
2546 <dd>
2551 </span>
2552 The postdata to send.
2553 </dd>
2556 <dd>
2559 </span>
2560 The URL for the portal.
2561 </dd>
2562 </dl>
2567 <dd>
2570 </span>
2571 The operator name.
2572 </dd>
2575 <dd>
2578 </span>
2579 The network id in the form MCC/MNC (without the '/').
2580 </dd>
2583 <dd>
2586 </span>
2587 The two-letter country code.
2588 </dd>
2589 </dl>
2594 <dd>
2597 </span>
2598 Specifies the type of lock in effect, or an empty string if unlocked.
2600 Allowed values are
2603 </span>
2604 </dd>
2607 <dd>
2610 </span>
2611 Indicates whether SIM locking is enabled
2612 </dd>
2615 <dd>
2618 </span>
2621 the number of attempts remaining to supply a correct PIN before the
2622 PIN becomes blocked, at which point a PUK provided by the carrier would
2625 </dd>
2626 </dl>
2628 </section>
2630 <section>
2632 <p>
2633 This format will eventually also cover configuration of Bluetooth and WiFi
2634 Direct network technologies, however they are currently not supported.
2635 </p>
2636 </section>
2638 </section>
2640 <section>
2642 <p>
2643 Certificate data is stored in a separate section. Each certificate may be
2644 referenced from within the NetworkConfigurations array using a certificate
2645 reference. A certificate reference is its GUID.
2646 </p>
2648 <p>
2651 </p>
2653 <p>
2655 </p>
2659 <dd>
2661 (required)
2663 </span>
2664 A unique identifier for this certificate. Must be a non-empty string.
2665 </dd>
2668 <dd>
2673 </span> For certificates with
2674 private keys, this is the base64 encoding of the a PKCS#12 file.
2675 </dd>
2678 <dd>
2682 </span>
2684 should be set).
2685 </dd>
2688 <dd>
2693 [])
2695 </span>
2696 An array of trust flags. Clients should ignore unknown flags. For
2697 backwards compatibility, each flag should only increase the trust and
2699 the certificate is to be trusted for HTTPS SSL identification. A typical
2704 </dd>
2707 <dd>
2712 </span>
2718 </span>
2720 identifying the user or device over HTTPS or for
2722 identifies an HTTPS or VPN/802.1X peer.
2724 certificate authority and any certificates it issues should be
2726 x509 v3 basic constraints or key usage attributes, the
2728 </dd>
2731 <dd>
2737 </span> For certificate
2738 without private keys, this is the X509 certificate in PEM format.
2739 </dd>
2740 </dl>
2742 <p>
2743 The passphrase of the PKCS#12 encoding must be empty. Encryption of key data
2744 should be handled at the level of the entire file, or the transport of the
2745 file.
2746 </p>
2748 <p>
2749 If a global-scoped network connection refers to a user-scoped certificate,
2750 results are undefined, so this configuration should be prohibited by the
2751 configuration editor.
2752 </p>
2753 </section>
2755 </section>
2757 <section>
2759 <p>
2760 We assume that when this format is imported as part of policy that
2761 file-level encryption will not be necessary because the policy transport is
2762 already encrypted, but when it is imported as a standalone file, it is
2763 desirable to encrypt it. Since this file has private information (user
2764 names) and secrets (passphrases and private keys) in it, and we want it to
2765 be usable as a manual way to distribute network configuration, we must
2766 support encryption.
2767 </p>
2769 <p>
2770 For this standalone export, the entire file will be encrypted in a symmetric
2771 fashion with a passphrase stretched using salted PBKDF2 using at least 20000
2773 HMAC on the ciphertext.
2774 </p>
2776 <p>
2777 An encrypted ONC file's top level object will have the
2780 following:
2781 </p>
2785 <dd>
2787 (required)
2789 </span>
2791 is supported.
2792 </dd>
2795 <dd>
2797 (required)
2799 </span>
2800 The raw ciphertext of the encrypted ONC file, base64 encoded.
2801 </dd>
2804 <dd>
2806 (required)
2808 </span>
2809 The HMAC for the ciphertext, base64 encoded.
2810 </dd>
2813 <dd>
2815 (required)
2817 </span>
2818 The method used to compute the Hash-based Message Authentication Code
2820 </dd>
2823 <dd>
2825 (required)
2827 </span>
2828 The salt value used during key stretching.
2829 </dd>
2832 <dd>
2834 (required)
2836 </span>
2837 The key stretching algorithm used. Currently
2839 </dd>
2842 <dd>
2844 (required)
2846 </span>
2847 The number of iterations to use during key stretching.
2848 </dd>
2851 <dd>
2853 (required)
2855 </span>
2856 The initial vector (IV) used for Cyclic Block Cipher (CBC) mode, base64
2857 encoded.
2858 </dd>
2861 <dd>
2863 (required)
2865 </span>
2866 The type of the ONC file, which must be set
2868 </dd>
2869 </dl>
2873 When decrypted, the ciphertext must contain a JSON object of
2875 </p>
2876 </section>
2878 <section>
2880 <p>
2881 The values of some fields, such
2884 expansions. These allow one ONC to have basic user-specific variations.
2885 </p>
2887 <p>
2888 The expansions are:
2889 </p>
2891 <ul>
2892 <li>
2893 ${LOGIN_ID} - expands to the email address of the user, but before the
2894 '@'.
2895 </li>
2896 <li>
2897 ${LOGIN_EMAIL} - expands to the email address of the user.
2898 </li>
2899 </ul>
2901 <p>
2902 The following SED would properly handle resolution.
2903 </p>
2905 <ul>
2906 <li>
2907 s/\$\{LOGIN_ID\}/bobquail$1/g
2908 </li>
2909 <li>
2910 s/\$\{LOGIN_EMAIL\}/bobquail@example.com$1/g
2911 </li>
2912 </ul>
2914 <p>
2915 Example expansions, assuming the user was bobquail@example.com:
2916 </p>
2918 <ul>
2919 <li>
2921 </li>
2922 <li>
2924 </li>
2925 <li>
2927 </li>
2928 <li>
2930 </li>
2931 <li>
2933 </li>
2934 <li>
2936 </li>
2937 </ul>
2938 </section>
2940 <section>
2942 <p>
2943 This format should be sent in files ending in the .onc extension. When
2944 transmitted with a MIME type, the MIME type should be
2945 application/x-onc. These two methods make detection of data to be handled in
2946 this format, especially when encryption is used and the payload itself is
2947 not detectable.
2948 </p>
2949 </section>
2951 </section>
2953 <section>
2955 <p>
2956 For the overall format, we considered XML, ASN.1, and protobufs. JSON and
2957 ASN.1 seem more widely known than protobufs. Since administrators are
2958 likely to want to tweak settings that will not exist in common UIs, we
2959 should provide a format that is well known and human modifiable. ASN.1 is
2960 not human modifiable. Protobufs formats are known by open source developers
2961 but seem less likely to be known by administrators. JSON serialization
2962 seems to have good support across languages.
2963 </p>
2965 <p>
2966 We considered sending the exact connection manager configuration format of
2967 an open source connection manager like connman. There are a few issues
2968 here, for instance, referencing certificates by identifiers not tied to a
2969 particular PKCS#11 token, and tying to one OS's connection manager.
2970 </p>
2971 </section>
2973 <section>
2975 <p>
2976 This format should be sent in files ending in the .onc extension. When
2977 transmitted with a MIME type, the MIME type should be
2978 application/x-onc. These two methods make detection of data to be handled in
2979 this format, especially when encryption is used and the payload itself is
2980 not detectable.
2981 </p>
2982 </section>
2984 <section>
2987 <section>
2990 <pre>
2991 {
2993 "NetworkConfigurations": [
2994 {
2998 "WiFi": {
2999 "AutoConnect": true,
3000 "EAP": {
3002 "UseSystemCAs": true
3003 },
3004 "HiddenSSID": false,
3007 }
3008 }
3009 ],
3010 "Certificates": []
3011 }
3012 </pre>
3014 <p>
3015 Notice that in this case, we do not provide a username and password - we set
3017 time. We could have passed in username and password - but such a file should
3018 be encrypted.
3019 </p>
3020 </section>
3022 <section>
3025 <pre>
3026 {
3028 "NetworkConfigurations": [
3029 {
3033 "WiFi": {
3034 "AutoConnect": false,
3035 "EAP": {
3036 "ClientCertPattern": {
3037 "EnrollmentURI": [
3038 "http://fetch-my-certificate.com"
3039 ],
3040 "IssuerCARef": [
3041 "{6ed8dce9-64c8-d568-d225d7e467e37828}"
3042 ]
3043 },
3047 "UseSystemCAs": true
3048 },
3049 "HiddenSSID": false,
3052 }
3053 }
3054 ],
3055 "Certificates": [
3056 {
3059 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
3060 }
3061 ]
3062 }
3063 </pre>
3065 <p>
3066 In this example, the client certificate is not sent in the ONC format, but
3067 rather we send a certificate authority which we know will have signed the
3068 client certificate that is needed, along with an enrollment URI to navigate
3069 to if the required certificate is not yet available on the client.
3070 </p>
3071 </section>
3073 <section>
3076 <p>
3077 In this example a new certificate authority is added to be trusted for HTTPS
3078 server authentication.
3079 </p>
3081 <pre>
3082 {
3084 "NetworkConfigurations": [],
3085 "Certificates": [
3086 {
3090 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
3091 }
3092 ]
3093 }
3094 </pre>
3095 </section>
3097 <section>
3100 <p>
3101 In this example a simple wireless network is added, but the file is encrypted
3102 with the passphrase "test0000".
3103 </p>
3105 <pre>
3106 {
3108 "Ciphertext": "eQ9/r6v29/83M745aa0JllEj4lklt3Nfy4kPPvXgjBt1eTByxXB+FnsdvL6Uca5JBU5aROxfiol2+ZZOkxPmUNNIFZj70pkdqOGVe09ncf0aVBDsAa27veGIG8rG/VQTTbAo7d8QaxdNNbZvwQVkdsAXawzPCu7zSh4NF/hDnDbYjbN/JEm1NzvWgEjeOfqnnw3PnGUYCArIaRsKq9uD0a1NccU+16ZSzyDhX724JNrJjsuxohotk5YXsCK0lP7ZXuXj+nSR0aRIETSQ+eqGhrew2octLXq8cXK05s6ZuVAc0mFKPkntSI/fzBACuPi4ZaGd3YEYiKzNOgKJ+qEwgoE39xp0EXMZOZyjMOAtA6e1ZZDQGWG7vKdTLmLKNztHGrXvlZkyEf1RDs10YgkwwLgUhm0yBJ+eqbxO/RiBXz7O2/UVOkkkVcmeI6yh3BdL6HIYsMMygnZa5WRkd/2/EudoqEnjcqUyGsL+YUqV6KRTC0PH+z7zSwvFs2KygrSM7SIAZM2yiQHTQACkA/YCJDwACkkQOBFnRWTWiX0xmN55WMbgrs/wqJ4zGC9LgdAInOBlc3P+76+i7QLaNjMovQ==",
3116 }
3117 </pre>
3118 </section>
3120 </section>
3122 <section>
3125 <p>
3126 The source code for a Chrome packaged app to generate ONC configuration can
3127 be found here:
3128 <a href="https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree">"https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree"</a>
3129 </p>
3130 </section>
3132 <section>
3135 <p>
3136 UIs will need to have internationalization and localizations - the file
3137 format will remain in English.
3138 </p>
3139 </section>
3141 <section>
3144 <p>
3145 Data stored inside of open network configuration files is highly sensitive
3146 to users and enterprises. The file format itself provides adequate
3147 encryption options to allow standalone use-cases to be secure. For automatic
3148 updates sent by policy, the policy transport should be made secure. The file
3149 should not be stored unencrypted on disk as part of policy fetching and
3150 should be cleared from memory after use.
3151 </p>
3152 </section>
3154 <section>
3157 <p>
3158 Similarly to the security considerations, user names will be present in
3159 these files for certain kinds of connections, so any places where the file
3160 is transmitted or saved to disk should be secure. On client device, when
3161 user names for connections that are user-specific are persisted to disk,
3162 they should be stored in a location that is encrypted. Users can also opt in
3163 these cases to not save their user credentials in the config file and will
3164 instead be prompted when they are needed.
3165 </p>
3166 </section>
3167 </section>
3168 </body>
3169 </html>