| blob | b364ab7e448776d78875c1cc4ad5cb8cb27b3fd1 |
2 <html>
3 <head>
8 </head>
9 <body>
17 </section>
19 <section>
21 <p>
22 We would like to create a simple, open, but complete format to describe
23 multiple network configurations for Wi-Fi, Ethernet, Cellular,
24 Bluetooth/WiFi-Direct, and VPN connections in a single file format, in order
25 to simplify and automate network configuration for users.
26 </p>
27 </section>
29 <section>
31 <p>
32 Configuring networks is a painful and error-prone experience for users. It
33 is a problem shared across desktop, laptop, tablet, and phone users of all
34 operating system types. It is exacerbated in business and schools which
35 often have complex network configurations (VPNs and 802.1X networking) that
36 change often and have many connected devices. Configuration of Wi-Fi is
37 still done manually, often by administrators physically standing next to
38 users working on devices. Certificate distribution is particularly painful
39 which often results in admins instead using passphrases to protect networks
40 or using protocols without client certificates that instead use LDAP
41 passwords for authentication. Even after networks are configured, updates to
42 the network configuration require another round of manual changes, and
43 accidental changes by a user or malicious changes by an attacker can break
44 connectivity or make connections less private or secure.
45 </p>
47 <section>
49 <p>
50 We propose a single-file format for network configuration that is
51 human-readable, can describe all of the common kinds of network
52 configurations, supports integrity checking, certificate and key
53 provisioning, and updating. The file can be encrypted with a single
54 passphrase so that upon entering the passphrase the entire configuration is
55 loaded. The format can be described as an open format to enable multiple OS
56 vendors to interoperate and share configuration editors.
57 </p>
59 <p>
60 This format neither supports configuring browser settings nor allows setting
61 other types of system policies.
62 </p>
63 </section>
65 <section>
67 <p>
68 A standalone configuration editor will be created, downloadable as a Chrome
69 app. This editor will allow creating, modifying, and encrypting an open
70 network configuration file in a way that is intuitive for a system
71 administrator.
72 </p>
74 <p>
75 This file format may be delivered to a user and manually imported into a
76 device.
77 </p>
79 <p>
80 This file format may be created by an administrator, stored in a policy
81 repository, and automatically pushed to a device.
82 </p>
83 </section>
85 </section>
87 <section>
89 <p>
90 We use JSON format for the files. The fields in a JSON file are always
91 case-sensitive, so the exact case of the fields in this section must be
92 matched. In addition, the values that are called out as explicit constants
93 must also match the case specified (e.g. WiFi must not be written as wifi,
94 etc.). This document describes a minimum set of required fields and optional
95 fields. Other fields may be created, however, see the
96 implementation-specific fields for guidelines for these fields.
97 </p>
99 <p>
100 The JSON consists of a top level dictionary containing
104 </p>
106 <p>
108 type, see the section on Encrypted Configuration
110 an unencrypted JSON object.
111 </p>
113 <section>
115 <p>
116 This format allows for importing updated network configurations and
117 certificates by providing GUIDs to each network configuration and
118 certificate so they can be modified or even removed in future updates.
119 </p>
121 <p>
122 GUIDs are non-empty strings that are meant to be stable and unique. When
123 they refer to the same entity, they should be the same between ONC files. No
124 two different networks or certificates should have the same GUID, similarly
125 a network and certificate should not have the same GUID. A single ONC file
126 should not contain the same entity twice (with the same GUID). Failing any
127 of these tests indicates the ONC file is not valid.
128 </p>
130 <p>
131 Any GUID referred to in an ONC file must be present in the same ONC file. In
132 particular, it is an error to create a certificate in one ONC file and refer
133 to it in a NetworkConfiguration in another ONC file and not define it there,
134 even if the previous ONC file has been imported.
135 </p>
136 </section>
138 <section>
140 <p>
141 As there are many different kinds of connections and some that are not yet
142 anticipated may require new fields. This format allows arbitrary other
143 fields to be added.
144 </p>
146 <p>
147 Fields and values should follow these general guidelines:
148 </p>
150 <ul>
151 <li>
152 Certificates (with and without keys) should always be placed in the
153 certificate section - specifically certificate contents should not be
154 placed in fields directly. Referring to certificates should be done using
155 a field whose name ends in Ref and whose value is the GUID of the
156 certificate, or if the certificate is not contained in this file, its
157 pattern can be described using a field ending in Pattern of
159 </li>
160 <li>
161 Fields should exist in the most-specific object in the hierarchy and
162 should be named CamelCase style.
163 </li>
164 <li>
165 Booleans and integers should be used directly instead of using a
166 stringified version of the type.
167 </li>
168 </ul>
170 <p>
171 Any editor of network configuration information should allows the user to
172 modify any fields that are implementation-specific. It may not be present
173 directly in the UI but it should be able to import files with such settings
174 and leave preserve these settings on export.
175 </p>
176 </section>
178 <section>
180 <p>
185 following:
186 </p>
190 <dd>
193 </span>)
195 </span>
197 </dd>
200 <dd>
202 (optional)
204 </span>
205 Describes Wi-Fi, Ethernet, VPN, and wireless connections.
206 </dd>
209 <dd>
211 (optional)
213 </span>
215 </dd>
216 </dl>
218 At least one actual configuration field
221 not be considered an error if no such field is present.
223 <section>
225 <p>
229 the following:
230 </p>
234 <dd>
239 </span>
240 Ethernet settings.
241 </dd>
244 <dd>
246 (required)
248 </span>
249 A unique identifier for this network connection, which exists to make it
250 possible to update previously imported configurations. Must be a non-empty
251 string.
252 </dd>
255 <dd>
262 </span>
267 </span>
268 Determines whether the IP Address configuration is statically configured,
270 using DHCP.
271 </dd>
274 <dd>
281 </span>
286 </span>
287 Determines whether the NameServers configuration is statically configured,
289 using DHCP.
290 </dd>
293 <dd>
295 (optional for connected networks, read-only)
297 </span>
298 Array of IPConfig properties associated with this connection.
299 </dd>
302 <dd>
308 </span>
309 Each property set in this IPConfig object overrides the respective
310 parameter received over DHCP.
316 is required.
317 </dd>
320 <dd>
322 (optional for connected networks, read-only)
324 </span>
325 IPConfig property containing the configuration that was received from the
326 DHCP server prior to applying any StaticIPConfig parameters.
327 </dd>
330 <dd>
335 </span>
336 A user-friendly description of this connection. This name will not be used
337 for referencing and may not be unique. Instead it may be used for
338 describing the network to the user.
339 </dd>
342 <dd>
346 </span>
347 If set, remove this network configuration (only GUID should be set).
348 </dd>
351 <dd>
356 </span>
357 Proxy settings for this network
358 </dd>
361 <dd>
366 </span>
367 VPN settings.
368 </dd>
371 <dd>
376 </span>
377 Wi-Fi settings.
378 </dd>
381 <dd>
386 </span>
387 WiMAX settings.
388 </dd>
391 <dd>
396 </span>
397 Cellular settings.
398 </dd>
401 <dd>
406 </span>
412 </span>
413 Indicates which kind of connection this is.
414 </dd>
417 <dd>
419 (optional, read-only)
421 </span>
422 The current connection state for this network, provided by the system.
425 Allowed values are:
429 </span>
430 </dd>
433 <dd>
437 </span>
438 True if a connnected network has limited connectivity to the Internet,
439 e.g. a connection is behind a portal or a cellular network is not
440 activated or requires payment.
441 </dd>
444 <dd>
446 (optional, read-only)
448 </span>
449 True if the system indicates that the network can be connected to without
450 any additional configuration.
451 </dd>
454 <dd>
456 (optional, read-only)
458 </span>
459 The current error state for this network. Error states are provided by
460 the system and are not explicitly defined here. They may or may not be
461 human-readable. This field will be empty or absent if the network is not
462 in an error state.
463 </dd>
466 <dd>
468 (optional, read-only)
470 </span>
471 The MAC address for the network. Only applies to connected non-virtual
473 </dd>
476 <dd>
478 (optional, read-only)
480 </span>
481 Indicates whether the network is configured and how it is configured:
482 <ul>
484 user only, i.e. an unshared configuration.</li>
486 device (e.g laptop), i.e. a shared configuration.</li>
488 policy for the active user.</li>
490 policy for the device.</li>
492 but unconfigured WiFi network.</li>
493 </ul>
496 Allowed values are:
502 </span>
503 </dd>
506 <dd>
508 (optional)
510 </span>
511 Provides a suggested priority value for this network. May be used by the
512 system to determine which network to connect to when multiple configured
513 networks are available (or may be ignored).
514 </dd>
516 </dl>
518 <section>
520 <p>
525 </p>
529 <dd>
531 (optional)
533 </span>
538 </span>
539 </dd>
542 <dd>
547 </span>
548 EAP settings.
549 </dd>
550 </dl>
551 </section>
553 <section>
555 <p>
557 actual IP configuration of a connected network (see
561 </p>
565 <dd>
567 (required)
569 </span>
574 </span>
575 Describes the type of configuration this is.
576 </dd>
579 <dd>
581 (optional)
583 </span>
584 Describes the IPv4 or IPv6 address of a connection, depending on the value
586 routing prefix (i.e. should not end in something like /64).
587 </dd>
590 <dd>
593 ignored.)
595 </span>
599 addresses.
600 </span>
601 Describes the routing prefix.
602 </dd>
605 <dd>
608 ignored.)
610 </span>
611 Describes the gateway address to use for the configuration. Must match
613 specified, DHCP values will be used.
614 </dd>
617 <dd>
619 (optional)
621 </span>
622 Array of addresses to use for name servers. Address format must match that
624 DHCP values will be used.
625 </dd>
628 <dd>
630 (optional)
632 </span>
633 Array of strings to append to names for resolution. Items in this array
636 be used.
637 </dd>
640 <dd>
644 </span>
645 The Web Proxy Auto-Discovery URL for this network as reported over DHCP.
646 </dd>
648 </dl>
649 </section>
651 <section>
653 <p>
658 </p>
662 <dd>
666 </span>
667 Indicaties if ARP polling of default gateway is allowed.
668 When it is allowed, periodic ARP messages will be sent to
669 the default gateway. This is used for monitoring the status
670 of the current connection.
671 </dd>
674 <dd>
678 </span>
679 Indicating that the network should be connected to automatically when in
680 range.
681 </dd>
684 <dd>
690 </span>
691 EAP settings.
692 </dd>
695 <dd>
700 </span>
701 Hex representation of the network's SSID.
702 </dd>
705 <dd>
709 </span>
710 Indicating if the SSID will be broadcast.
711 </dd>
714 <dd>
720 </span>
721 Describes the passphrase for WEP/WPA/WPA2
725 </dd>
728 <dd>
730 (required)
732 </span>
740 </span>
741 </dd>
744 <dd>
747 ignored)
749 </span>
750 Property to access the decoded SSID of a network.<br/>
752 its value will be UTF-8 encoded and the hex representation will be
755 When reading the configuration of a network, both this field and
758 decoded using UTF-8, otherwise an encoding is guessed on a best effort
759 basis.
760 </dd>
763 <dd>
765 (optional, read-only)
767 </span>
769 provided by the system. If the network is not in range this field will
770 be set to '0' or not present.
771 </dd>
772 </dl>
778 are set, the values must be consistent.
779 </span>
780 </span>
781 </section>
783 <section>
785 <p>
786 There are many kinds of VPNs with widely varying configuration options. We
787 offer standard configuration options for a few common configurations at this
788 time, and may add more later. For all others, implementation specific fields
789 should be used.
790 </p>
792 <p>
797 </p>
801 <dd>
805 </span>
806 Indicating that the network should be connected to automatically.
807 </dd>
810 <dd>
812 (optional)
814 </span>
815 Host name or IP address of server to connect to. The only scenario that
816 does not require a host is a VPN that encrypts but does not tunnel
817 traffic. Standalone IPsec (v1 or v2, cert or PSK based -- this is not the
818 same as L2TP over IPsec) is one such setup. For all other types of VPN,
820 </dd>
823 <dd>
829 </span>
830 IPsec layer settings.
831 </dd>
834 <dd>
839 </span>
840 L2TP layer settings.
841 </dd>
844 <dd>
849 </span>
850 OpenVPN settings.
851 </dd>
854 <dd>
856 (required)
858 </span>
864 </span>
865 Type of the VPN.
866 </dd>
867 </dl>
869 <section>
871 <p>
873 </p>
877 <dd>
879 (required)
881 </span>
885 <span class="value">Cert</span>. If <span class="value">Cert</span> is used, <span class="field">ClientCertType</span> and <span class="field">ServerCARefs</span> (or the deprecated <span class="field">ServerCARef</span>) must be set.
886 </span>
887 </dd>
890 <dd>
895 </span>
896 Pattern describing the client certificate.
897 </dd>
900 <dd>
905 </span>
906 Reference to client certificate stored in certificate section.
907 </dd>
910 <dd>
915 </span>
920 </span>
921 </dd>
924 <dd>
927 ignored)
929 </span>
930 Indicating that EAP authentication should be used with the provided
931 parameters.
932 </dd>
935 <dd>
938 ignored)
940 </span>
941 Group name used for machine authentication.
942 </dd>
945 <dd>
947 (required)
949 </span>
950 Version of IKE protocol to use.
951 </dd>
954 <dd>
959 </span>
960 Pre-Shared Key. If not specified, user is prompted at time of
961 connection.
962 </dd>
965 <dd>
971 </span>
973 (PSK) each time they connect.
974 </dd>
977 <dd>
982 </span>
983 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset.
984 </dd>
987 <dd>
992 </span>
994 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
995 </dd>
998 <dd>
1001 ignored)
1003 </span>
1004 Describing XAUTH credentials. XAUTH is not used if this object is not
1005 present.
1006 </dd>
1007 </dl>
1011 If <span class="field">AuthenticationType</span> is set to <span class="value">Cert</span>, <span class="field">ServerCARefs</span> or <span class="field">ServerCARef</span> must be set.
1012 </p>
1016 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1017 </p>
1019 <p>
1021 </p>
1025 <dd>
1027 (optional)
1029 </span>
1030 User authentication password. If not specified, user is prompted at time
1031 of connection.
1032 </dd>
1035 <dd>
1039 </span>
1041 each time they connect.
1042 </dd>
1045 <dd>
1047 (optional)
1049 </span>
1050 User identity. This value is subject to string expansions. If not
1051 specified, user is prompted at time of connection.
1052 </dd>
1053 </dl>
1055 <p>
1057 </p>
1061 <dd>
1063 (optional)
1065 </span>
1066 XAUTH password. If not specified, user is prompted at time of
1067 connection.
1068 </dd>
1071 <dd>
1075 </span>
1077 each time they connect.
1078 </dd>
1081 <dd>
1083 (optional)
1085 </span>
1086 XAUTH user name. This value is subject to string expansions. If not
1087 specified, user is prompted at time of connection.
1088 </dd>
1089 </dl>
1091 <section>
1093 <p>
1096 must be 1. Do not use this for L2TP over IPsec. This may be used for
1097 machine-authentication-only IKEv1 or for IKEv1 with XAUTH. See
1099 </p>
1100 </section>
1102 <section>
1104 <p>
1107 must be 2. This may be used with EAP-based user authentication.
1108 </p>
1109 </section>
1111 <section>
1113 <p>
1114 There are two major configurations L2TP over IPsec which depend on how IPsec
1117 </p>
1119 <p>
1120 L2TP over IPsec with pre-shared key:
1121 </p>
1123 <ul>
1125 following settings:
1126 <ul>
1130 </ul>
1131 </li>
1133 </ul>
1134 </section>
1136 </section>
1138 <section>
1140 <p>
1143 </p>
1145 <p>
1147 </p>
1151 <dd>
1155 </span>
1156 </dd>
1159 <dd>
1163 </span>
1169 </span>
1170 Controls how OpenVPN responds to username/password verification
1171 errors:<br> Either fail with error on retry
1175 </dd>
1178 <dd>
1182 </span>
1183 Disable caching of credentials in memory.
1184 </dd>
1187 <dd>
1191 </span>
1192 Cipher to use.
1193 </dd>
1196 <dd>
1201 </span>
1202 Reference to client certificate stored in certificate section.
1203 </dd>
1206 <dd>
1211 </span>
1212 Pattern to use to find the client certificate.
1213 </dd>
1216 <dd>
1218 (required)
1220 </span>
1225 </span>
1227 not require client certificates.
1228 </dd>
1231 <dd>
1235 </span>
1238 </dd>
1241 <dd>
1245 </span>
1246 Disables adaptive compression.
1247 </dd>
1250 <dd>
1254 </span>
1255 Omits a default route to the VPN gateway while the connection is active.
1256 By default, the client creates a default route to the gateway address
1257 advertised by the VPN server. Setting this value to
1259 configurations where the VPN server omits explicit default routes.
1260 This is roughly equivalent to omitting "redirect-gateway" OpenVPN client
1261 configuration option. If the server pushes a "redirect-gateway"
1262 configuration flag to the client, this option is ignored.
1263 </dd>
1266 <dd>
1268 (optional)
1270 </span>
1271 Passed as --key-direction.
1272 </dd>
1275 <dd>
1277 (optional)
1279 </span>
1280 If set, checks peer certificate type. Should only be set
1282 </dd>
1285 <dd>
1290 defaults to empty string)
1292 </span>
1295 and this field is not set, the user will be asked for an OTP.
1296 The OTP is never persisted and must be provided on every connection
1297 attempt.
1298 </dd>
1301 <dd>
1306 defaults to empty string)
1308 </span>
1312 will be asked for a password.
1315 connection attempts. Otherwise it is not persisted but might still be
1316 reused for consecutive connection attempts (opposed to an OTP, which will
1317 never be reused).
1318 </dd>
1321 <dd>
1325 </span>
1326 Port for connecting to server.
1327 </dd>
1330 <dd>
1334 </span>
1335 Protocol for communicating with server.
1336 </dd>
1339 <dd>
1343 </span>
1344 </dd>
1347 <dd>
1349 (optional)
1351 </span>
1352 Require that the peer certificate was signed with this explicit extended
1353 key usage in oid notation.
1354 </dd>
1357 <dd>
1359 (optional, defaults to [])
1361 </span>
1362 Require the given array of key usage numbers. These are strings that are
1363 hex encoded numbers.
1364 </dd>
1367 <dd>
1371 </span>
1376 </span>
1377 Require peer certificate signing based on RFC3280 TLS rules.
1378 </dd>
1381 <dd>
1385 </span>
1386 Renegotiate data channel key after this number of seconds.
1387 </dd>
1390 <dd>
1394 </span>
1396 each time they connect.
1397 </dd>
1400 <dd>
1402 (optional)
1404 </span>
1405 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. See also OpenVPN's command line option "--ca". If this field is set, <span class="field">ServerCARef</span> must be unset.
1406 </dd>
1409 <dd>
1411 (optional)
1413 </span>
1415 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
1416 </dd>
1419 <dd>
1421 (optional)
1423 </span>
1424 Reference to a certificate. Peer's signed certificate.
1425 </dd>
1428 <dd>
1430 (optional)
1432 </span>
1433 Spend no more than this number of seconds before trying the next server.
1434 </dd>
1437 <dd>
1439 (optional)
1441 </span>
1442 If not specified no bandwidth limiting, otherwise limit bandwidth of
1443 outgoing tunnel data to this number of bytes per second.
1444 </dd>
1447 <dd>
1449 (optional)
1451 </span>
1452 String is used in static challenge response. Note that echoing is always
1453 done.
1454 </dd>
1457 <dd>
1459 (optional)
1461 </span>
1462 If not set, tls auth is not used. If set, this is the TLS Auth key
1463 contents (usually starts with "-----BEGIN OpenVPN Static Key..."
1464 </dd>
1467 <dd>
1469 (optional)
1471 </span>
1472 If set, only allow connections to server hosts with X509 name or common
1473 name equal to this string.
1474 </dd>
1477 <dd>
1481 </span>
1488 </span>
1489 Determines the required form of user authentication:
1490 <ul><li>
1492 and an OTP (possibly empty). Both will be send to the server in the
1493 'password' response using the SCRv1 encoding.
1494 </li><li>
1496 which will be send without modification to the server in the 'password'
1497 response (no CRv1 or SCRv1 encoding).
1498 </li><li>
1500 will be send without modification to the server in the 'password'
1501 response (no CRv1 or SCRv1 encoding).
1502 </li><li>
1504 No password request from the server is expected.
1505 </li></ul>
1506 If not set, the user can provide a password and an OTP (both not
1507 mandatory) and the network manager will send both in the SCRv1 encoding,
1508 when the server sends a static-challenge. If the server does not send a
1509 static-challenge, the client will reply with only the password (without
1510 any encoding). This behavior is deprecated and new configurations should
1511 explicitly set one of the above values.
1515 </dd>
1518 <dd>
1520 (optional)
1522 </span>
1523 OpenVPN user name. This value is subject to string expansions. If not
1524 specified, user is prompted at time of connection.
1525 </dd>
1528 <dd>
1530 (optional)
1532 </span>
1533 Verbosity level, defaults to OpenVpn's default if not specified.
1534 </dd>
1537 <dd>
1539 (optional)
1541 </span>
1542 If set, this value is passed as the "--verify-hash" argument to OpenVPN,
1543 which specifies the SHA1 fingerprint for the level-1 certificate.
1544 </dd>
1547 <dd>
1549 (optional)
1551 </span>
1552 If set, the "--verify-x509-name" argument is passed to OpenVPN with the values of this object and only connections will be accepted if a host's X.509 name is equal to the given name.
1553 </dd>
1554 </dl>
1558 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1559 </p>
1561 <p>
1563 </p>
1566 <dd>
1568 (required)
1570 </span>
1571 The name that the host's X.509 name is compared to. Which host name is compared depends on the value of <span class="field">Type</span>.
1572 </dd>
1575 <dd>
1577 (optional)
1579 </span>
1580 Determines which of the host's X.509 names will be verified. Allowed values are <span class="value">name</span>, <span class="value">name-prefix</span> and <span class="value">subject</span>. See OpenVPN's documentation for "--verify-x509-name" for the meaning of each value. Defaults to OpenVPN's default if not specified.
1581 </dd>
1582 </dl>
1584 </section>
1586 </section>
1588 <section>
1590 <p>
1591 In order to allow clients to securely key their private keys and request
1592 certificates through PKCS#10 format or through a web flow, we provide
1593 alternative CertificatePattern types. The
1595 </p>
1599 <dd>
1601 (optional)
1603 </span>
1604 Array of references to certificates. At least one must have signed the
1605 client certificate.
1606 </dd>
1609 <dd>
1611 (optional)
1613 </span>
1614 Pattern to match the issuer X.509 settings against. If not specified, the
1615 only checks done will be a signature check against
1617 certificate must match this field exactly to match the pattern.
1618 </dd>
1621 <dd>
1623 (optional)
1625 </span>
1626 Pattern to match the subject X.509 settings against. If not specified, the
1627 subject settings are not checked and any certificate matches. Subject of
1628 the certificate must match this field exactly to match the pattern.
1629 </dd>
1632 <dd>
1634 (optional)
1636 </span>
1637 If no certificate matches this CertificatePattern, the first URI from this
1638 array with a recognized scheme is navigated to, with the intention this
1639 informs the user how to either get the certificate or gets the certificate
1640 for the user. For instance, the array may be [
1641 "chrome-extension://asakgksjssjwwkeielsjs/fetch-client-cert.html",
1642 "http://intra/connecting-to-wireless.html" ] so that for Chrome browsers a
1643 Chrome app or extension is shown to the user, but for other browsers, a
1644 web URL is shown.
1645 </dd>
1646 </dl>
1648 <p>
1650 following:
1651 </p>
1655 <dd>
1657 (optional)
1659 </span>
1660 Certificate subject's commonName must match this string if present.
1661 </dd>
1664 <dd>
1666 (optional)
1668 </span>
1669 Certificate subject's location must match this string if present.
1670 </dd>
1673 <dd>
1675 (optional)
1677 </span>
1678 At least one of certificate subject's organizations must match this string
1679 if present.
1680 </dd>
1683 <dd>
1685 (optional)
1687 </span>
1688 At least one of certificate subject's organizational units must match this
1689 string if present.
1690 </dd>
1691 </dl>
1698 to be valid.
1699 </p>
1701 <p>
1702 For a certificate to be considered matching, it must match all
1703 the fields in the certificate pattern. If multiple certificates match, the
1704 certificate with the latest issue date that is still in the past, and hence
1705 valid, will be used.
1706 </p>
1708 <p>
1710 found to this pattern, the importing tool may show an error to the user.
1711 </p>
1712 </section>
1714 <section>
1716 <p>
1717 Every network can be configured to use a
1719 following:
1720 </p>
1724 <dd>
1726 (required)
1728 </span>
1734 </span>
1737 </dd>
1740 <dd>
1745 </span>
1746 Manual proxy settings.
1747 </dd>
1750 <dd>
1755 </span>
1756 Domains and hosts for which to exclude proxy settings.
1757 </dd>
1760 <dd>
1765 </span>
1766 URL of proxy auto-config file.
1767 </dd>
1768 </dl>
1770 <p>
1772 following:
1773 </p>
1777 <dd>
1779 (optional)
1781 </span>
1782 settings for HTTP proxy.
1783 </dd>
1786 <dd>
1788 (optional)
1790 </span>
1791 settings for secure HTTP proxy.
1792 </dd>
1795 <dd>
1797 (optional)
1799 </span>
1800 settings for FTP proxy
1801 </dd>
1804 <dd>
1806 (optional)
1808 </span>
1809 settings for SOCKS proxy.
1810 </dd>
1811 </dl>
1813 <p>
1815 </p>
1819 <dd>
1821 (required)
1823 </span>
1824 Host (or IP address) to use for proxy
1825 </dd>
1828 <dd>
1830 (required)
1832 </span>
1833 Port to use for proxy
1834 </dd>
1835 </dl>
1836 </section>
1838 <section>
1840 <p>
1842 type exists to configure the
1844 following:
1845 </p>
1849 <dd>
1853 otherwise ignored)
1855 </span>
1856 For tunnelling protocols only, this indicates the identity of the user
1857 presented to the outer protocol. This value is subject to string
1858 expansions. If not specified, use empty string.
1859 </dd>
1862 <dd>
1867 </span>
1868 Pattern to use to find the client certificate.
1869 </dd>
1872 <dd>
1877 </span>
1878 Reference to client certificate stored in certificate section.
1879 </dd>
1882 <dd>
1885 </span>
1890 </span>
1891 </dd>
1894 <dd>
1896 (optional)
1898 </span>
1899 Identity of user. For tunneling outer protocols
1903 the EAP identity outside the tunnel. For non-tunneling outer protocols,
1904 this is used for the EAP identity. This value is subject to string
1905 expansions.
1906 </dd>
1909 <dd>
1916 </span>
1923 </span>
1924 For tunneling outer protocols.
1925 </dd>
1928 <dd>
1930 (required)
1932 </span>
1939 </span>
1940 </dd>
1943 <dd>
1945 (optional)
1947 </span>
1948 Password of user. If not specified, defaults to prompting the user.
1949 </dd>
1952 <dd>
1956 </span>
1962 </dd>
1965 <dd>
1967 (optional)
1969 </span>
1970 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
1971 </dd>
1974 <dd>
1976 (optional)
1978 </span>
1980 Reference to a CA certificate in <span class="field">Certificates</span>. If this field is set, <span class="field">ServerCARefs</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
1981 </dd>
1984 <dd>
1988 </span>
1989 Required server certificate to be signed by "system default certificate
1990 authorities". If both <span class="field">ServerCARefs</span> (or <span class="field">ServerCARef</span>)
1992 certificate will be allowed if it either has a chain of trust to a system
1994 is <span class="value">false</span>, and no <span class="field">ServerCARef</span> is set, the certificate
1995 must be a self signed certificate, and no CA signature is required.
1996 </dd>
1997 </dl>
2001 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
2002 </p>
2003 </section>
2005 <section>
2007 <p>
2012 representing an existing configuration; ONC configuration of
2014 Contains the following fields:
2015 </p>
2019 <dd>
2023 </span>
2024 Indicating that the network should be connected to automatically when
2025 possible.
2026 </dd>
2029 <dd>
2031 (required)
2033 </span>
2034 EAP settings.
2035 </dd>
2038 <dd>
2040 (optional, read-only)
2042 </span>
2044 provided by the system. If the network is not in range this field will
2045 be set to '0' or not present.
2046 </dd>
2047 </dl>
2049 </section>
2051 <section>
2053 <p>
2058 representing an existing configuration; ONC configuration of
2060 Contains the following fields:
2061 </p>
2065 <dd>
2069 </span>
2070 Indicating that the network should be connected to automatically when
2072 takes precedence over autoconnect.
2073 </dd>
2076 <dd>
2079 </span>
2081 GSM carrier for making data connections.
2082 </dd>
2085 <dd>
2088 </span>
2089 List of available APN configurations.
2090 </dd>
2093 <dd>
2096 </span>
2097 Activation type.
2098 </dd>
2101 <dd>
2104 </span>
2105 Carrier account activation state.
2112 </span>
2113 </dd>
2116 <dd>
2119 </span>
2120 Whether cellular data connections are allowed when the device is roaming.
2121 </dd>
2124 <dd>
2127 </span>
2128 The name of the carrier for which the device is configured.
2129 </dd>
2132 <dd>
2135 </span>
2136 The Electronic Serial Number of the cellular modem.
2137 </dd>
2140 <dd>
2143 </span>
2144 Technology family.
2146 Allowed values are
2149 </span>
2150 </dd>
2153 <dd>
2156 </span>
2157 The revision of firmware that is loaded in the modem.
2158 </dd>
2161 <dd>
2165 </span>
2166 The list of cellular netwoks found in the most recent scan operation.
2167 </dd>
2170 <dd>
2173 </span>
2174 The hardware revision of the cellular modem.
2175 </dd>
2178 <dd>
2181 </span>
2182 Description of the operator that issued the SIM card currently installed
2183 in the modem.
2184 </dd>
2187 <dd>
2193 </span>
2194 For GSM / LTE modems, the Integrated Circuit Card Identifer of the SIM
2195 card installed in the device.
2196 </dd>
2199 <dd>
2202 </span>
2203 The International Mobile Equipment Identity of the cellular modem.
2204 </dd>
2207 <dd>
2211 </span>
2212 For GSM modems, the International Mobile Subscriber Identity of the SIM
2213 card installed in the device.
2214 </dd>
2217 <dd>
2220 </span>
2221 The APN information used in the last successful connection attempt.
2222 </dd>
2225 <dd>
2228 </span>
2229 The manufacturer of the cellular modem.
2230 </dd>
2233 <dd>
2236 </span>
2237 The Mobile Directory Number (i.e., phone number) of the device.
2238 </dd>
2241 <dd>
2245 </span>
2246 For CDMA modems, the Mobile Equipment Identifer of the cellular modem.
2247 </dd>
2250 <dd>
2253 </span>
2254 The Mobile Identification Number of the device.
2255 </dd>
2258 <dd>
2261 </span>
2262 The hardware model of the cellular modem.
2263 </dd>
2266 <dd>
2269 </span>
2270 If the modem is registered on a network, then this is set to the
2271 network technology currently in use.
2273 Allowed values are
2279 </span>
2280 </dd>
2283 <dd>
2286 </span>
2287 The revision of the Preferred Roaming List that is loaded in the modem.
2288 </dd>
2291 <dd>
2294 </span>
2295 The roaming status of the cellular modem on the current network.
2300 </span>
2301 </dd>
2304 <dd>
2308 </span>
2309 Description of the operator on whose network the modem is currently
2310 registered
2311 </dd>
2314 <dd>
2318 </span>
2319 For GSM modems, a dictionary containing two properties describing the
2320 state of the SIM card lock.
2321 </dd>
2324 <dd>
2330 </span>
2331 For GSM or LTE modems, indicates whether a SIM card is present or not.
2332 </dd>
2335 <dd>
2338 </span>
2339 True if the cellular network supports scanning.
2340 </dd>
2343 <dd>
2346 </span>
2347 A list of supported carriers.
2348 </dd>
2350 </dl>
2355 <dd>
2358 </span>
2359 The access point name used when making connections.
2360 </dd>
2363 <dd>
2366 </span>
2367 Description of the APN.
2368 </dd>
2371 <dd>
2374 </span>
2375 Localized description of the APN.
2376 </dd>
2379 <dd>
2382 </span>
2383 Username for making connections if required.
2384 </dd>
2387 <dd>
2390 </span>
2391 Password for making connections if required.
2392 </dd>
2395 <dd>
2397 LocalizedName</span> is provided)
2399 </span>
2400 Two letter language code for Localizedname if provided.
2401 </dd>
2402 </dl>
2407 <dd>
2410 </span>
2411 The availability of the network.
2412 </dd>
2415 <dd>
2418 </span>
2419 The network id in the form MCC/MNC (without the '/').
2420 </dd>
2423 <dd>
2426 </span>
2427 Access technology used by the network,
2429 </dd>
2432 <dd>
2435 </span>
2436 Short-format name of the network operator.
2437 </dd>
2440 <dd>
2443 </span>
2444 Long-format name of the network operator.
2445 </dd>
2446 </dl>
2451 <dd>
2454 </span>
2455 The operator name.
2456 </dd>
2459 <dd>
2462 </span>
2463 The network id in the form MCC/MNC (without the '/').
2464 </dd>
2467 <dd>
2470 </span>
2471 The two-letter country code.
2472 </dd>
2473 </dl>
2478 <dd>
2481 </span>
2482 Specifies the type of lock in effect, or an empty string if unlocked.
2484 Allowed values are
2487 </span>
2488 </dd>
2491 <dd>
2494 </span>
2495 Indicates whether SIM locking is enabled
2496 </dd>
2499 <dd>
2502 </span>
2505 the number of attempts remaining to supply a correct PIN before the
2506 PIN becomes blocked, at which point a PUK provided by the carrier would
2509 </dd>
2510 </dl>
2512 </section>
2514 <section>
2516 <p>
2517 This format will eventually also cover configuration of Bluetooth and Wi-Fi
2518 Direct network technologies, however they are currently not supported.
2519 </p>
2520 </section>
2522 </section>
2524 <section>
2526 <p>
2527 Certificate data is stored in a separate section. Each certificate may be
2528 referenced from within the NetworkConfigurations array using a certificate
2529 reference. A certificate reference is its GUID.
2530 </p>
2532 <p>
2535 </p>
2537 <p>
2539 </p>
2543 <dd>
2545 (required)
2547 </span>
2548 A unique identifier for this certificate. Must be a non-empty string.
2549 </dd>
2552 <dd>
2557 </span> For certificates with
2558 private keys, this is the base64 encoding of the a PKCS#12 file.
2559 </dd>
2562 <dd>
2566 </span>
2568 should be set).
2569 </dd>
2572 <dd>
2577 [])
2579 </span>
2580 An array of trust flags. Clients should ignore unknown flags. For
2581 backwards compatibility, each flag should only increase the trust and
2583 the certificate is to be trusted for HTTPS SSL identification. A typical
2588 </dd>
2591 <dd>
2596 </span>
2602 </span>
2604 identifying the user or device over HTTPS or for
2606 identifies an HTTPS or VPN/802.1X peer.
2608 certificate authority and any certificates it issues should be
2610 x509 v3 basic constraints or key usage attributes, the
2612 </dd>
2615 <dd>
2621 </span> For certificate
2622 without private keys, this is the X509 certificate in PEM format.
2623 </dd>
2624 </dl>
2626 <p>
2627 The passphrase of the PKCS#12 encoding must be empty. Encryption of key data
2628 should be handled at the level of the entire file, or the transport of the
2629 file.
2630 </p>
2632 <p>
2633 If a global-scoped network connection refers to a user-scoped certificate,
2634 results are undefined, so this configuration should be prohibited by the
2635 configuration editor.
2636 </p>
2637 </section>
2639 </section>
2641 <section>
2643 <p>
2644 We assume that when this format is imported as part of policy that
2645 file-level encryption will not be necessary because the policy transport is
2646 already encrypted, but when it is imported as a standalone file, it is
2647 desirable to encrypt it. Since this file has private information (user
2648 names) and secrets (passphrases and private keys) in it, and we want it to
2649 be usable as a manual way to distribute network configuration, we must
2650 support encryption.
2651 </p>
2653 <p>
2654 For this standalone export, the entire file will be encrypted in a symmetric
2655 fashion with a passphrase stretched using salted PBKDF2 using at least 20000
2657 HMAC on the ciphertext.
2658 </p>
2660 <p>
2661 An encrypted ONC file's top level object will have the
2664 following:
2665 </p>
2669 <dd>
2671 (required)
2673 </span>
2675 is supported.
2676 </dd>
2679 <dd>
2681 (required)
2683 </span>
2684 The raw ciphertext of the encrypted ONC file, base64 encoded.
2685 </dd>
2688 <dd>
2690 (required)
2692 </span>
2693 The HMAC for the ciphertext, base64 encoded.
2694 </dd>
2697 <dd>
2699 (required)
2701 </span>
2702 The method used to compute the Hash-based Message Authentication Code
2704 </dd>
2707 <dd>
2709 (required)
2711 </span>
2712 The salt value used during key stretching.
2713 </dd>
2716 <dd>
2718 (required)
2720 </span>
2721 The key stretching algorithm used. Currently
2723 </dd>
2726 <dd>
2728 (required)
2730 </span>
2731 The number of iterations to use during key stretching.
2732 </dd>
2735 <dd>
2737 (required)
2739 </span>
2740 The initial vector (IV) used for Cyclic Block Cipher (CBC) mode, base64
2741 encoded.
2742 </dd>
2745 <dd>
2747 (required)
2749 </span>
2750 The type of the ONC file, which must be set
2752 </dd>
2753 </dl>
2757 When decrypted, the ciphertext must contain a JSON object of
2759 </p>
2760 </section>
2762 <section>
2764 <p>
2765 The values of some fields, such
2768 expansions. These allow one ONC to have basic user-specific variations.
2769 </p>
2771 <p>
2772 The expansions are:
2773 </p>
2775 <ul>
2776 <li>
2777 ${LOGIN_ID} - expands to the email address of the user, but before the
2778 '@'.
2779 </li>
2780 <li>
2781 ${LOGIN_EMAIL} - expands to the email address of the user.
2782 </li>
2783 </ul>
2785 <p>
2786 The following SED would properly handle resolution.
2787 </p>
2789 <ul>
2790 <li>
2791 s/\$\{LOGIN_ID\}/bobquail$1/g
2792 </li>
2793 <li>
2794 s/\$\{LOGIN_EMAIL\}/bobquail@example.com$1/g
2795 </li>
2796 </ul>
2798 <p>
2799 Example expansions, assuming the user was bobquail@example.com:
2800 </p>
2802 <ul>
2803 <li>
2805 </li>
2806 <li>
2808 </li>
2809 <li>
2811 </li>
2812 <li>
2814 </li>
2815 <li>
2817 </li>
2818 <li>
2820 </li>
2821 </ul>
2822 </section>
2824 <section>
2826 <p>
2827 This format should be sent in files ending in the .onc extension. When
2828 transmitted with a MIME type, the MIME type should be
2829 application/x-onc. These two methods make detection of data to be handled in
2830 this format, especially when encryption is used and the payload itself is
2831 not detectable.
2832 </p>
2833 </section>
2835 </section>
2837 <section>
2839 <p>
2840 For the overall format, we considered XML, ASN.1, and protobufs. JSON and
2841 ASN.1 seem more widely known than protobufs. Since administrators are
2842 likely to want to tweak settings that will not exist in common UIs, we
2843 should provide a format that is well known and human modifiable. ASN.1 is
2844 not human modifiable. Protobufs formats are known by open source developers
2845 but seem less likely to be known by administrators. JSON serialization
2846 seems to have good support across languages.
2847 </p>
2849 <p>
2850 We considered sending the exact connection manager configuration format of
2851 an open source connection manager like connman. There are a few issues
2852 here, for instance, referencing certificates by identifiers not tied to a
2853 particular PKCS#11 token, and tying to one OS's connection manager.
2854 </p>
2855 </section>
2857 <section>
2859 <p>
2860 This format should be sent in files ending in the .onc extension. When
2861 transmitted with a MIME type, the MIME type should be
2862 application/x-onc. These two methods make detection of data to be handled in
2863 this format, especially when encryption is used and the payload itself is
2864 not detectable.
2865 </p>
2866 </section>
2868 <section>
2871 <section>
2874 <pre>
2875 {
2877 "NetworkConfigurations": [
2878 {
2882 "WiFi": {
2883 "AutoConnect": true,
2884 "EAP": {
2886 "UseSystemCAs": true
2887 },
2888 "HiddenSSID": false,
2891 }
2892 }
2893 ],
2894 "Certificates": []
2895 }
2896 </pre>
2898 <p>
2899 Notice that in this case, we do not provide a username and password - we set
2901 time. We could have passed in username and password - but such a file should
2902 be encrypted.
2903 </p>
2904 </section>
2906 <section>
2909 <pre>
2910 {
2912 "NetworkConfigurations": [
2913 {
2917 "WiFi": {
2918 "AutoConnect": false,
2919 "EAP": {
2920 "ClientCertPattern": {
2921 "EnrollmentURI": [
2922 "http://fetch-my-certificate.com"
2923 ],
2924 "IssuerCARef": [
2925 "{6ed8dce9-64c8-d568-d225d7e467e37828}"
2926 ]
2927 },
2931 "UseSystemCAs": true
2932 },
2933 "HiddenSSID": false,
2936 }
2937 }
2938 ],
2939 "Certificates": [
2940 {
2943 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
2944 }
2945 ]
2946 }
2947 </pre>
2949 <p>
2950 In this example, the client certificate is not sent in the ONC format, but
2951 rather we send a certificate authority which we know will have signed the
2952 client certificate that is needed, along with an enrollment URI to navigate
2953 to if the required certificate is not yet available on the client.
2954 </p>
2955 </section>
2957 <section>
2960 <p>
2961 In this example a new certificate authority is added to be trusted for HTTPS
2962 server authentication.
2963 </p>
2965 <pre>
2966 {
2968 "NetworkConfigurations": [],
2969 "Certificates": [
2970 {
2974 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
2975 }
2976 ]
2977 }
2978 </pre>
2979 </section>
2981 <section>
2984 <p>
2985 In this example a simple wireless network is added, but the file is encrypted
2986 with the passphrase "test0000".
2987 </p>
2989 <pre>
2990 {
2992 "Ciphertext": "eQ9/r6v29/83M745aa0JllEj4lklt3Nfy4kPPvXgjBt1eTByxXB+FnsdvL6Uca5JBU5aROxfiol2+ZZOkxPmUNNIFZj70pkdqOGVe09ncf0aVBDsAa27veGIG8rG/VQTTbAo7d8QaxdNNbZvwQVkdsAXawzPCu7zSh4NF/hDnDbYjbN/JEm1NzvWgEjeOfqnnw3PnGUYCArIaRsKq9uD0a1NccU+16ZSzyDhX724JNrJjsuxohotk5YXsCK0lP7ZXuXj+nSR0aRIETSQ+eqGhrew2octLXq8cXK05s6ZuVAc0mFKPkntSI/fzBACuPi4ZaGd3YEYiKzNOgKJ+qEwgoE39xp0EXMZOZyjMOAtA6e1ZZDQGWG7vKdTLmLKNztHGrXvlZkyEf1RDs10YgkwwLgUhm0yBJ+eqbxO/RiBXz7O2/UVOkkkVcmeI6yh3BdL6HIYsMMygnZa5WRkd/2/EudoqEnjcqUyGsL+YUqV6KRTC0PH+z7zSwvFs2KygrSM7SIAZM2yiQHTQACkA/YCJDwACkkQOBFnRWTWiX0xmN55WMbgrs/wqJ4zGC9LgdAInOBlc3P+76+i7QLaNjMovQ==",
3000 }
3001 </pre>
3002 </section>
3004 </section>
3006 <section>
3009 <p>
3010 The source code for a Chrome packaged app to generate ONC configuration can
3011 be found here:
3012 <a href="https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree">"https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree"</a>
3013 </p>
3014 </section>
3016 <section>
3019 <p>
3020 UIs will need to have internationalization and localizations - the file
3021 format will remain in English.
3022 </p>
3023 </section>
3025 <section>
3028 <p>
3029 Data stored inside of open network configuration files is highly sensitive
3030 to users and enterprises. The file format itself provides adequate
3031 encryption options to allow standalone use-cases to be secure. For automatic
3032 updates sent by policy, the policy transport should be made secure. The file
3033 should not be stored unencrypted on disk as part of policy fetching and
3034 should be cleared from memory after use.
3035 </p>
3036 </section>
3038 <section>
3041 <p>
3042 Similarly to the security considerations, user names will be present in
3043 these files for certain kinds of connections, so any places where the file
3044 is transmitted or saved to disk should be secure. On client device, when
3045 user names for connections that are user-specific are persisted to disk,
3046 they should be stored in a location that is encrypted. Users can also opt in
3047 these cases to not save their user credentials in the config file and will
3048 instead be prompted when they are needed.
3049 </p>
3050 </section>
3051 </section>
3052 </body>
3053 </html>