chromeos/docs/onc_spec.html - Issue 11602010: Initial commit of the ONC spec in HTML.

Unified Diff: chromeos/docs/onc_spec.html

Issue 11602010: Initial commit of the ONC spec in HTML. (Closed) Base URL: http://git.chromium.org/chromium/src.git@master

Patch Set: Added license headers. Created 8 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chromeos/docs/onc_spec.html

diff --git a/chromeos/docs/onc_spec.html b/chromeos/docs/onc_spec.html

new file mode 100644

index 0000000000000000000000000000000000000000..40bcb54661af21acd6bb4c973683ebdca0ca5ab6

--- /dev/null

+++ b/chromeos/docs/onc_spec.html

@@ -0,0 +1,2020 @@

+<!DOCTYPE html>

+<html>

+<head>

+ <meta charset="utf-8">

+ <link rel="stylesheet" href="onc_spec.css" >

+ <script src="onc_spec.js"></script>

+ <title>Open Network Configuration Format</title>

+</head>

+<body>

+<section id="root" class="not_in_toc">

+ <h1>Open Network Configuration Format</h1>

+<section class="not_in_toc">

+ <h1>Outline</h1>

+ <div id="outline"></div>

+</section>

+<section>

+ <h1>Objective</h1>

+

+ We would like to create a simple, open, but complete format to describe

+ multiple network configurations for Wi-Fi, Ethernet, Cellular,

+ Bluetooth/WiFi-Direct, and VPN connections in a single file format, in order

+ to simplify and automate network configuration for users.

+

+</section>

+<section>

+ <h1>Background</h1>

+

+ Configuring networks is a painful and error-prone experience for users. It

+ is a problem shared across desktop, laptop, tablet, and phone users of all

+ operating system types. It is exacerbated in business and schools which

+ often have complex network configurations (VPNs and 802.1X networking) that

+ change often and have many connected devices. Configuration of Wi-Fi is

+ still done manually, often by administrators physically standing next to

+ users working on devices. Certificate distribution is particularly painful

+ which often results in admins instead using passphrases to protect networks

+ or using protocols without client certificates that instead use LDAP

+ passwords for authentication. Even after networks are configured, updates to

+ the network configuration require another round of manual changes, and

+ accidental changes by a user or malicious changes by an attacker can break

+ connectivity or make connections less private or secure.

+

+<section>

+ <h1>Overview</h1>

+

+ We propose a single-file format for network configuration that is

+ human-readable, can describe all of the common kinds of network

+ configurations, supports integrity checking, certificate and key

+ provisioning, and updating. The file can be encrypted with a single

+ passphrase so that upon entering the passphrase the entire configuration is

+ loaded. The format can be described as an open format to enable multiple OS

+ vendors to interoperate and share configuration editors.

+

+

+ This format neither supports configuring browser settings nor allows setting

+ other types of system policies.

+

+</section>

+<section>

+ <h1>Infrastructure</h1>

+

+ A standalone configuration editor will be created, downloadable as a Chrome

+ app. This editor will allow creating, modifying, and encrypting an open

+ network configuration file in a way that is intuitive for a system

+ administrator.

+

+

+ This file format may be delivered to a user and manually imported into a

+ device.

+

+

+ This file format may be created by an administrator, stored in a policy

+ repository, and automatically pushed to a device.

+

+</section>

+<section>

+ <h1>Detailed Design</h1>

+

+ We use JSON format for the files. The fields in a JSON file are always

+ case-sensitive, so the exact case of the fields in this section must be

+ matched. In addition, the values that are called out as explicit constants

+ must also match the case specified (e.g. WiFi must not be written as wifi,

+ etc.). This document describes a minimum set of required fields and optional

+ fields. Other fields may be created, however, see the

+ implementation-specific fields for guidelines for these fields.

+

+

+ The JSON consists of a top level dictionary containing

+ a Type field which must have either the

+ value EncryptedConfiguration

+ or UnencryptedConfiguration.

+

+

+ For a description of the EncryptedConfiguration

+ type, see the section on Encrypted Configuration

+ below. The EncryptedConfiguration format encrypts

+ an unencrypted JSON object.

+

+<section>

+ <h1>GUIDs and Updating</h1>

+

+ This format allows for importing updated network configurations and

+ certificates by providing GUIDs to each network configuration and

+ certificate so they can be modified or even removed in future updates.

+

+

+ GUIDs are meant to be stable and unique. When they refer to the same entity,

+ they should be the same between ONC files. No two different networks or

+ certificates should have the same GUID, similarly a network and certificate

+ should not have the same GUID. A single ONC file should not contain the same

+ entity twice (with the same GUID). Failing any of these tests indicates the

+ ONC file is not valid.

+

+

+ Any GUID referred to in an ONC file must be present in the same ONC file. In

+ particular, it is an error to create a certificate in one ONC file and refer

+ to it in a NetworkConfiguration in another ONC file and not define it there,

+ even if the previous ONC file has been imported.

+

+</section>

+<section>

+ <h1>Implementation-specific fields</h1>

+

+ As there are many different kinds of connections and some that are not yet

+ anticipated may require new fields. This format allows arbitrary other

+ fields to be added.

+

+

+ Fields and values should follow these general guidelines:

+

+ <ul>

+ <li>

+ Certificates (with and without keys) should always be placed in the

+ certificate section - specifically certificate contents should not be

+ placed in fields directly. Referring to certificates should be done using

+ a field whose name ends in Ref and whose value is the GUID of the

+ certificate, or if the certificate is not contained in this file, its

+ pattern can be described using a field ending in Pattern of

+ CertificatePattern type.

+ </li>

+ <li>

+ Fields should exist in the most-specific object in the hierarchy and

+ should be named CamelCase style.

+ </li>

+ <li>

+ Booleans and integers should be used directly instead of using a

+ stringified version of the type.

+ </li>

+ </ul>

+

+ Any editor of network configuration information should allows the user to

+ modify any fields that are implementation-specific. It may not be present

+ directly in the UI but it should be able to import files with such settings

+ and leave preserve these settings on export.

+

+</section>

+<section>

+ <h1>Unencrypted Configuration</h1>

+

+ When the top level Type field

+ is UnencryptedConfiguration, the top level JSON

+ has the UnencryptedConfiguration

+ type. UnencryptedConfiguration type contains the

+ following:

+

+ <dl class="field_list">

+ <dt class="field">Type</dt>

+ <dd>

+

+ (required)

+ string

+

+ Must be UnencryptedConfiguration.

+ </dd>

+ <dt class="field">NetworkConfigurations</dt>

+ <dd>

+

+ (optional)

+ array of NetworkConfiguration

+

+ Describes Wi-Fi, Ethernet, VPN, and wireless connections.

+ </dd>

+ <dt class="field">Certificates</dt>

+ <dd>

+

+ (optional)

+ array of Certificate

+

+ Contains certificates stored in X.509 or PKCS#12 format.

+ </dd>

+ </dl>

+

+ At least one array (either NetworkConfigurations

+ and/or Certificates) must be present.

+

+<section>

+ <h1>Network Configuration</h1>

+

+ Field NetworkConfigurations is an array

+ of NetworkConfiguration typed

+ objects. The NetworkConfiguration type contains

+ the following:

+

+ <dl class="field_list">

+ <dt class="field">Ethernet</dt>

+ <dd>

+

+ (required if Type

+ is Ethernet)

+ Ethernet

+

+ Ethernet settings.

+ </dd>

+ <dt class="field">GUID</dt>

+ <dd>

+

+ (required)

+ string

+

+ a unique identifier for this network connection, which exists to make it

+ possible to update previously imported configurations

+ </dd>

+ <dt class="field">IPConfigs</dt>

+ <dd>

+

+ (optional)

+ array of IPConfig

+

+ Static IPv4 or IPv6 parameters to associate with this connection.

+ </dd>

+ <dt class="field">Name</dt>

+ <dd>

+

+ (required if Remove is

+ false)

+ string

+

+ A user-friendly description of this connection. This name will not be used

+ for referencing and may not be unique. Instead it may be used for

+ describing the network to the user.

+ </dd>

+ <dt class="field">Remove</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ If set, remove this network configuration (only GUID should be set).

+ </dd>

+ <dt class="field">ProxySettings</dt>

+ <dd>

+

+ (optional) ProxySettings

+

+ Proxy settings for this network

+ </dd>

+ <dt class="field">NameServers</dt>

+ <dd>

+

+ (optional)

+ array of string

+

+ Array of addresses to use for name servers. If not specified, DHCP values

+ will be used.

+ </dd>

+ <dt class="field">SearchDomains</dt>

+ <dd>

+

+ (optional)

+ array of string

+

+ Array of strings to append to names for resolution. Items in this array

+ should not start with a

+ dot. Example: ["corp.acme.org", "acme.org"]. If

+ not specified, DHCP values will be used.

+ </dd>

+ <dt class="field">VPN</dt>

+ <dd>

+

+ (required if Type is

+ VPN)

+ VPN

+

+ VPN settings.

+ </dd>

+ <dt class="field">WiFi</dt>

+ <dd>

+

+ (required if Type is WiFi)

+ WiFi

+

+ Wi-Fi settings.

+ </dd>

+ <dt class="field">Type</dt>

+ <dd>

+

+ (required if Remove

+ is false)

+ string

+

+ Indicates which kind of connection this is. Must be one

+ of Cellular, Ethernet,

+ WiFi, or VPN.

+ If Remove is true,

+ this field should not be present nor should any that depends on it

+ (Ethernet, VPN,

+ WiFi, etc).

+ </dd>

+ </dl>

+<section>

+ <h1>Ethernet networks</h1>

+

+ For Ethernet connections, Type must be set to

+ Ethernet and the

+ field Ethernet must be set to an object of

+ type Ethernet containing the following fields:

+

+ <dl class="field_list">

+ <dt class="field">Authentication</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Either None

+ or 8021X.

+ </dd>

+ <dt class="field">EAP</dt>

+ <dd>

+

+ (required if Authentication

+ is 8021X)

+ EAP

+

+ EAP settings.

+ </dd>

+ </dl>

+</section>

+<section>

+ <h1>IP Config</h1>

+

+ Field IPConfigs is an array

+ of IPConfig

+ objects. Each IPConfig object describes a

+ particular static IP configuration and contains the following fields:

+

+ <dl class="field_list">

+ <dt class="field">Type</dt>

+ <dd>

+

+ (required)

+ string

+

+ Must be either IPv4

+ or IPv6, describing the type of configuration

+ this is.

+ </dd>

+ <dt class="field">IPAddress</dt>

+ <dd>

+

+ (required)

+ string

+

+ Describes the IPv4 or IPv6 address of a connection, depending on the value

+ of Type field. It should not contain the

+ routing prefix (i.e. should not end in something like /64).

+ </dd>

+ <dt class="field">RoutingPrefix</dt>

+ <dd>

+

+ (required)

+ integer

+

+ Describes the routing prefix. This is a number in the range [1, 32] for

+ IPv4 and [1, 128] for IPv6 addresses.

+ </dd>

+ <dt class="field">Gateway</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Describes the gateway address to use for the configuration. Must match

+ address type specified in

+ Type field. If not specified, DHCP values will

+ be used. </dd>

+ <dt class="field">NameServers</dt>

+ <dd>

+

+ (optional)

+ array of string

+

+ Array of addresses to use for name servers. Address format must match that

+ specified in the Type field. Overrides values

+ in the top level NameServers field for this configuration. If not

+ specified, top level values will be used.

+ </dd>

+ <dt class="field">SearchDomains</dt>

+ <dd>

+

+ (optional)

+ array of string

+

+ Array of strings to append to names for resolution. Items in this array

+ should not start with a dot. Example: [

+ "corp.acme.org", "acme.org" ]. Overrides values in the top level

+ SearchDomains field for this configuration. If not specified, top level

+ values will be used.

+ </dd>

+ </dl>

+</section>

+<section>

+ <h1>Wi-Fi networks</h1>

+

+ For Wi-Fi connections, Type must be set to

+ WiFi and the

+ field WiFi must be set to an object of

+ type WiFi containing the following fields:

+

+ <dl class="field_list">

+ <dt class="field">AutoConnect</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ Indicating network should be connected when in range.

+ </dd>

+ <dt class="field">EAP</dt>

+ <dd>

+

+ (required if Security

+ is WEP-8021X

+ or WPA-EAP)

+ EAP

+

+ EAP settings.

+ </dd>

+ <dt class="field">HiddenSSID</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ Indicating if the SSID will be broadcast.

+ </dd>

+ <dt class="field">Passphrase</dt>

+ <dd>

+

+ (required if Security

+ is WEP-PSK

+ or WPA-PSK)

+ string

+

+ Describes the passphrase for WEP/WPA/WPA2

+ connections. If WEP-PSK is used, the passphrase

+ must be of the format 0x<hex-number>, where <hex-number> is

+ 40, 104, 128, or 232 bits.

+ </dd>

+ <dt class="field">Security</dt>

+ <dd>

+

+ (required)

+ string

+

+ One of None, WEP-PSK,

+ WEP-8021X, WPA-PSK,

+ WPA-EAP.

+ </dd>

+ <dt class="field">SSID</dt>

+ <dd>

+

+ (required)

+ string

+

+ SSID of the network.

+ </dd>

+ </dl>

+</section>

+<section>

+ <h1>VPN networks</h1>

+

+ There are many kinds of VPNs with widely varying configuration options. We

+ offer standard configuration options for a few common configurations at this

+ time, and may add more later. For all others, implementation specific fields

+ should be used.

+

+

+ For VPN connections, Type must be set

+ to VPN and the

+ field VPN must be set to an object of

+ type VPN containing the following fields:

+

+ <dl class="field_list">

+ <dt class="field">Host</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Host name or IP address of server to connect to. The only scenario that

+ does not require a host is a VPN that encrypts but does not tunnel

+ traffic. Standalone IPsec (v1 or v2, cert or PSK based -- this is not the

+ same as L2TP over IPsec) is one such setup. For all other types of VPN,

+ the Host field is required.

+ </dd>

+ <dt class="field">IPsec</dt>

+ <dd>

+

+ (required if Type

+ is IPsec

+ or L2TP-IPsec)

+ IPsec

+

+ IPsec layer settings.

+ </dd>

+ <dt class="field">L2TP</dt>

+ <dd>

+

+ (required if Type is

+ L2TP-IPsec)

+ L2TP

+

+ L2TP layer settings.

+ </dd>

+ <dt class="field">OpenVPN</dt>

+ <dd>

+

+ (required if Type is

+ OpenVPN)

+ OpenVPN

+

+ OpenVPN settings.

+ </dd>

+ <dt class="field">Type</dt>

+ <dd>

+

+ (required)

+ string

+

+ Type of the VPN, one

+ of IPsec, L2TP-IPsec,

+ or OpenVPN.

+ </dd>

+ </dl>

+ <section>

+ <h1>IPsec-based VPN types</h1>

+

+ The IPsec type contains the following:

+

+ <dl class="field_list">

+ <dt class="field">AuthenticationType</dt>

+ <dd>

+

+ (required)

+ string

+

+ Either PSK or Cert

+ </dd>

+ <dt class="field">ClientCertPattern</dt>

+ <dd>

+

+ (required if ClientCertType

+ is Pattern, otherwise ignored)

+ CertificatePattern

+

+ Pattern describing the client certificate.

+ </dd>

+ <dt class="field">ClientCertRef</dt>

+ <dd>

+

+ (required if ClientCertType

+ is Ref, otherwise ignored)

+ string

+

+ Reference to client certificate stored in certificate section.

+ </dd>

+ <dt class="field">ClientCertType</dt>

+ <dd>

+

+ (required if AuthenticationType

+ is Cert, otherwise ignored)

+ string

+

+ Either Ref

+ or Pattern

+ </dd>

+ <dt class="field">EAP</dt>

+ <dd>

+

+ (optional if IKEVersion is 2, otherwise

+ ignored)

+ EAP

+

+ Indicating that EAP authentication should be used with the provided

+ parameters.

+ </dd>

+ <dt class="field">Group</dt>

+ <dd>

+

+ (optional if IKEVersion is 1, otherwise

+ ignored)

+ string

+

+ Group name used for machine authentication.

+ </dd>

+ <dt class="field">IKEVersion</dt>

+ <dd>

+

+ (required)

+ integer

+

+ Version of IKE protocol to use.

+ </dd>

+ <dt class="field">PSK</dt>

+ <dd>

+

+ (optional if AuthenticationType

+ is PSK, otherwise ignored)

+ string

+

+ Pre-Shared Key. If not specified, user is prompted at time of

+ connection.

+ </dd>

+ <dt class="field">SaveCredentials</dt>

+ <dd>

+

+ (optional if AuthenticationType

+ is PSK, otherwise ignored, defaults

+ to false)

+ boolean

+

+ If false, require user to enter credentials

+ (PSK) each time they connect.

+ </dd>

+ <dt class="field">ServerCARef</dt>

+ <dd>

+

+ (required if AuthenticationType

+ is Cert, otherwise ignored)

+ string

+

+ Reference to server certificate authority stored in certificate section.

+ </dd>

+ <dt class="field">XAUTH</dt>

+ <dd>

+

+ (optional if IKEVersion is 1, otherwise

+ ignored)

+ XAUTH

+

+ Describing XAUTH credentials. XAUTH is not used if this object is not

+ present.

+ </dd>

+ </dl>

+

+ L2TP type contains the following:

+

+ <dl class="field_list">

+ <dt class="field">Password</dt>

+ <dd>

+

+ (optional)

+ string

+

+ User authentication password. If not specified, user is prompted at time

+ of connection.

+ </dd>

+ <dt class="field">SaveCredentials</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ If false, require user to enter credentials

+ each time they connect.

+ </dd>

+ <dt class="field">Username</dt>

+ <dd>

+

+ (optional)

+ string

+

+ User identity. This value is subject to string expansions. If not

+ specified, user is prompted at time of connection.

+ </dd>

+ </dl>

+

+ XAUTH type contains the following:

+

+ <dl class="field_list">

+ <dt class="field">Password</dt>

+ <dd>

+

+ (optional)

+ string

+

+ XAUTH password. If not specified, user is prompted at time of

+ connection.

+ </dd>

+ <dt class="field">SaveCredentials</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ If false, require user to enter credentials

+ each time they connect.

+ </dd>

+ <dt class="field">Username</dt>

+ <dd>

+

+ (optional)

+ string

+

+ XAUTH user name. This value is subject to string expansions. If not

+ specified, user is prompted at time of connection.

+ </dd>

+ </dl>

+<section>

+ <h1>IPsec IKE v1 VPN connections</h1>

+

+ VPN.Type must

+ be IPsec, IKEVersion

+ must be 1. Do not use this for L2TP over IPsec. This may be used for

+ machine-authentication-only IKEv1 or for IKEv1 with XAUTH. See

+ the IPsec type described below.

+

+</section>

+<section>

+ <h1>IPsec IKE v2 VPN connections</h1>

+

+ VPN.Type must

+ be IPsec, IKEVersion

+ must be 2. This may be used with EAP-based user authentication.

+

+</section>

+<section>

+ <h1>L2TP over IPsec VPN connections</h1>

+

+ There are two major configurations L2TP over IPsec which depend on how IPsec

+ is authenticated. In either case Type must be

+ L2TP-IPsec. They are described below.

+

+

+ L2TP over IPsec with pre-shared key:

+

+ <ul>

+ <li>The field IPsec must be present and have the

+ following settings:

+ <ul>

+ <li>IKEVersion must be 1.</li>

+ <li>AuthenticationType must be PSK.</li>

+ <li>XAUTH must not be set.</li>

+ </ul>

+ </li>

+ <li>The field L2TP must be present.</li>

+ </ul>

+</section>

+<section>

+ <h1>OpenVPN connections and types</h1>

+

+ VPN.Type must

+ be OpenVPN.

+

+

+ OpenVPN type contains the following:

+

+ <dl class="field_list">

+ <dt class="field">Auth</dt>

+ <dd>

+

+ (optional, defaults to SHA1)

+ string

+

+ </dd>

+ <dt class="field">AuthRetry</dt>

+ <dd>

+

+ (optional, defaults to none)

+ string

+

+ Controls how OpenVPN responds to username/password verification

+ errors. Allowed values are none (fail with

+ error on retry), nointeract (retry without

+ asking for authentication), and interact (ask

+ again for authentication each time).

+ </dd>

+ <dt class="field">AuthNoCache</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ Disable caching of credentials in memory.

+ </dd>

+ <dt class="field">Cipher</dt>

+ <dd>

+

+ (optional, defaults to BF-CBC)

+ string

+

+ Cipher to use.

+ </dd>

+ <dt class="field">ClientCertRef</dt>

+ <dd>

+

+ (required if ClientCertType

+ is Ref)

+ string

+

+ Reference to client certificate stored in certificate section.

+ </dd>

+ <dt class="field">ClientCertPattern</dt>

+ <dd>

+

+ (required if ClientCertType

+ is Pattern)

+ CertificatePattern

+

+ Pattern to use to find the client certificate.

+ </dd>

+ <dt class="field">ClientCertType</dt>

+ <dd>

+

+ (required)

+ string

+

+ Either Ref, Pattern,

+ or None. None

+ implies that the server is configured to not require client certificates.

+ </dd>

+ <dt class="field">CompLZO</dt>

+ <dd>

+

+ (optional, defaults to adaptive)

+ string

+

+ Decides to fast LZO compression with true

+ and false as other values.

+ </dd>

+ <dt class="field">CompNoAdapt</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ Disables adaptive compression.

+ </dd>

+ <dt class="field">KeyDirection</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Passed as --key-direction.

+ </dd>

+ <dt class="field">NsCertType</dt>

+ <dd>

+

+ (optional)

+ string

+

+ If set, checks peer certificate type. Should only be set

+ to server if set.

+ </dd>

+ <dt class="field">Password</dt>

+ <dd>

+

+ (optional)

+ string

+

+ XAUTH password. If not specified, user is prompted at time of

+ connection. If not specified, user is prompted at time of connection.

+ </dd>

+ <dt class="field">Port</dt>

+ <dd>

+

+ (optional, defaults to 1194)

+ integer

+

+ Port for connecting to server.

+ </dd>

+ <dt class="field">Proto</dt>

+ <dd>

+

+ (optional, defaults to udp)

+ string

+

+ Protocol for communicating with server.

+ </dd>

+ <dt class="field">PushPeerInfo</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ </dd>

+ <dt class="field">RemoteCertEKU</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Require that the peer certificate was signed with this explicit extended

+ key usage in oid notation.

+ </dd>

+ <dt class="field">RemoteCertKU</dt>

+ <dd>

+

+ (optional, defaults to [])

+ array of string

+

+ Require the given array of key usage numbers. These are strings that are

+ hex encoded numbers.

+ </dd>

+ <dt class="field">RemoteCertTLS</dt>

+ <dd>

+

+ (optional, defaults to server)

+ string

+

+ Require peer certificate signing based on RFC3280 TLS rules. May

+ be none or server.

+ </dd>

+ <dt class="field">RenegSec</dt>

+ <dd>

+

+ (optional, defaults to 3600)

+ integer

+

+ Renegotiate data channel key after this number of seconds.

+ </dd>

+ <dt class="field">SaveCredentials</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ If false, require user to enter credentials

+ each time they connect.

+ </dd>

+ <dt class="field">ServerCARef</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Reference to a certificate. Certificate authority to use for verifying

+ connection.

+ </dd>

+ <dt class="field">ServerCertRef</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Reference to a certificate. Peer's signed certificate.

+ </dd>

+ <dt class="field">ServerPollTimeout</dt>

+ <dd>

+

+ (optional)

+ integer

+

+ Spend no more than this number of seconds before trying the next server.

+ </dd>

+ <dt class="field">Shaper</dt>

+ <dd>

+

+ (optional)

+ integer

+

+ If not specified no bandwidth limiting, otherwise limit bandwidth of

+ outgoing tunnel data to this number of bytes per second.

+ </dd>

+ <dt class="field">StaticChallenge</dt>

+ <dd>

+

+ (optional)

+ string

+

+ String is used in static challenge response. Note that echoing is always

+ done.

+ </dd>

+ <dt class="field">TLSAuthContents</dt>

+ <dd>

+

+ (optional)

+ string

+

+ If not set, tls auth is not used. If set, this is the TLS Auth key

+ contents (usually starts with "-----BEGIN OpenVPN Static Key..."

+ </dd>

+ <dt class="field">TLSRemote</dt>

+ <dd>

+

+ (optional)

+ string

+

+ If set, only allow connections to server hosts with X509 name or common

+ name equal to this string.

+ </dd>

+ <dt class="field">Username</dt>

+ <dd>

+

+ (optional)

+ string

+

+ OpenVPN user name. This value is subject to string expansions. If not

+ specified, user is prompted at time of connection.

+ </dd>

+ <dt class="field">Verb</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Verbosity level, defaults to openvpn default if not specified.

+ </dd>

+ </dl>

+</section>

+<section>

+ <h1>Client certificate patterns</h1>

+

+ In order to allow clients to securely key their private keys and request

+ certificates through PKCS#10 format or through a web flow, we provide

+ alternative CertificatePattern

+ types. The CertificatePattern type contains the

+ following:

+

+ <dl class="field_list">

+ <dt class="field">IssuerCARef</dt>

+ <dd>

+

+ (optional)

+ array of string

+

+ Array of references to certificates. At least one must have signed the

+ client certificate.

+ </dd>

+ <dt class="field">Issuer</dt>

+ <dd>

+

+ (optional)

+ IssuerSubjectPattern

+

+ Pattern to match the issuer X.509 settings against. If not specified, the

+ only checks done will be a signature check against the IssuerCARef

+ field. Issuer of the certificate must match this field exactly to match

+ the pattern.

+ </dd>

+ <dt class="field">Subject</dt>

+ <dd>

+

+ (optional)

+ IssuerSubjectPattern

+

+ Pattern to match the subject X.509 settings against. If not specified, the

+ subject settings are not checked and any certificate matches. Subject of

+ the certificate must match this field exactly to match the pattern.

+ </dd>

+ <dt class="field">EnrollmentURI</dt>

+ <dd>

+

+ (optional)

+ array of string

+

+ If no certificate matches this CertificatePattern, the first URI from this

+ array with a recognized scheme is navigated to, with the intention this

+ informs the user how to either get the certificate or gets the certificate

+ for the user. For instance, the array may be [

+ "chrome-extension://asakgksjssjwwkeielsjs/fetch-client-cert.html",

+ "http://intra/connecting-to-wireless.html" ] so that for Chrome browsers a

+ Chrome app or extension is shown to the user, but for other browsers, a

+ web URL is shown.

+ </dd>

+ </dl>

+

+ The IssuerSubjectPattern type contains the

+ following:

+

+ <dl class="field_list">

+ <dt class="field">CommonName</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Certificate subject's commonName must match this string if present.

+ </dd>

+ <dt class="field">Locality</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Certificate subject's location must match this string if present.

+ </dd>

+ <dt class="field">Organization</dt>

+ <dd>

+

+ (optional)

+ string

+

+ At least one of certificate subject's organizations must match this string

+ if present.

+ </dd>

+ <dt class="field">OrganizationalUnit</dt>

+ <dd>

+

+ (optional)

+ string

+

+ At least one of certificate subject's organizational units must match this

+ string if present.

+ </dd>

+ </dl>

+

+ One field

+ in Subject, Issuer,

+ or IssuerCARef must be given for a

+ CertificatePattern typed field to be valid. For a

+ certificate to be considered matching, it must match all the fields in the

+ certificate pattern. If multiple certificates match, the certificate with

+ the latest issue date that is still in the past, and hence valid, will be

+ used.

+

+

+ If EnrollmentURI is not given and no match is

+ found to this pattern, the importing tool may show an error to the user.

+

+</section>

+<section>

+ <h1>Proxy settings</h1>

+

+ Every network can be configured to use a

+ proxy. The ProxySettings type contains the

+ following:

+

+ <dl class="field_list">

+ <dt class="field">Type</dt>

+ <dd>

+

+ (required)

+ string

+

+ One

+ of Direct, Manual,

+ PAC, or WPAD.

+ PAC indicates Proxy Auto-Configuration.

+ WPAD indicates Web Proxy Autodiscovery. If

+ WPAD is specified, all other fields are ignored.

+ </dd>

+ <dt class="field">Manual</dt>

+ <dd>

+

+ (required if Type

+ is Manual, otherwise ignored)

+ ManualProxySettings

+

+ Manual proxy settings.

+ </dd>

+ <dt class="field">ExcludeDomains</dt>

+ <dd>

+

+ (optional if Type

+ is Manual, otherwise ignored)

+ array of string

+

+ Domains and hosts for which to exclude proxy settings.

+ </dd>

+ <dt class="field">PAC</dt>

+ <dd>

+

+ (required if Type is

+ PAC)

+ string

+

+ URL of proxy auto-config file.

+ </dd>

+ </dl>

+

+ The ManualProxySettings type contains the

+ following:

+

+ <dl class="field_list">

+ <dt class="field">HTTPProxy</dt>

+ <dd>

+

+ (optional)

+ ProxyLocation

+

+ settings for HTTP proxy.

+ </dd>

+ <dt class="field">SecureHTTPProxy</dt>

+ <dd>

+

+ (optional)

+ ProxyLocation

+

+ settings for secure HTTP proxy.

+ </dd>

+ <dt class="field">FTPProxy</dt>

+ <dd>

+

+ (optional)

+ ProxyLocation

+

+ settings for FTP proxy

+ </dd>

+ <dt class="field">SOCKS</dt>

+ <dd>

+

+ (optional)

+ ProxyLocation

+

+ settings for SOCKS proxy.

+ </dd>

+ </dl>

+

+ The ProxyLocation type contains the following:

+

+ <dl class="field_list">

+ <dt class="field">Host</dt>

+ <dd>

+

+ (required)

+ string

+

+ Host (or IP address) to use for proxy

+ </dd>

+ <dt class="field">Port</dt>

+ <dd>

+

+ (required)

+ integer

+

+ Port to use for proxy

+ </dd>

+ </dl>

+</section>

+<section>

+ <h1>EAP configurations</h1>

+

+ For networks with 802.1X authentication, an EAP

+ type exists to configure the

+ authentication. The EAP type contains the

+ following:

+

+ <dl class="field_list">

+ <dt class="field">AnonymousIdentity</dt>

+ <dd>

+

+ (optional)

+ string

+

+ For tunnelling protocols (PEAP

+ and EAP-TTLS) only, this indicates the identity

+ of the user presented to the outer protocol. This value is subject to

+ string expansions. If not specified, use empty string.

+ </dd>

+ <dt class="field">ClientCertPattern</dt>

+ <dd>

+

+ (required if ClientCertType

+ is Pattern)

+ CertificatePattern

+

+ Pattern to use to find the client certificate.

+ </dd>

+ <dt class="field">ClientCertRef</dt>

+ <dd>

+

+ (required if ClientCertType

+ is Ref)

+ string

+

+ Reference to client certificate stored in certificate section.

+ </dd>

+ <dt class="field">ClientCertType</dt>

+ <dd>

+

+ (optional) string

+

+ Must be either Ref

+ or Pattern.

+ </dd>

+ <dt class="field">Identity</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Identity of user. For tunneling outer protocols

+ (PEAP, EAP-TTLS, and

+ EAP-FAST), this is used to authenticate inside

+ the tunnel, and AnonymousIdentity is used for the EAP identity outside the

+ tunnel. For non-tunneling outer protocols, this is used for the EAP

+ identity. This string may include string expansions. See below.

+ </dd>

+ <dt class="field">Inner</dt>

+ <dd>

+

+ (optional, defaults to Automatic)

+ string

+

+ Must be one of Automatic,

+ MD5, MSCHAPv2,

+ EAP-MSCHAPv2, PAP. Only

+ valid for outer protocols that are tunnelling protocols

+ (EAP-TTLS, PEAP

+ and EAP-FAST).

+ </dd>

+ <dt class="field">Outer</dt>

+ <dd>

+

+ (required)

+ string

+

+ Must be one of PEAP,

+ EAP-TLS, EAP-TTLS,

+ LEAP, EAP-SIM,

+ EAP-FAST or EAP-AKA.

+ </dd>

+ <dt class="field">Password</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Password of user. If not specified, defaults to prompting the user.

+ </dd>

+ <dt class="field">SaveCredentials</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ If false, require user to enter credentials

+ each time they connect. Specifying Identity and/or Password

+ when SaveCredentials

+ is false is not allowed.

+ </dd>

+ <dt class="field">ServerCARef</dt>

+ <dd>

+

+ (optional)

+ string

+

+ Reference to server certificate authority stored in certificate

+ section. If not specified, client does not check the server certificate is

+ signed by a specific CA. It will still check the server CA

+ if UseSystemCAs is set.

+ </dd>

+ <dt class="field">UseSystemCAs</dt>

+ <dd>

+

+ (optional, defaults to true)

+ boolean

+

+ Required server certificate to be signed by "system default certificate

+ authorities". If both ServerCARef

+ and UseSystemCAs are supplied, a server

+ certificate will be allowed if it either has a chain of trust to a system

+ CA or to the given server CA. If UseSystemCAs

+ is false, and

+ no ServerCARef is set, then the certificate

+ must be a self signed certificate, and no CA signature is required.

+ </dd>

+ </dl>

+</section>

+<section>

+ <h1>Cellular Networks</h1>

+

+ This format will eventually also cover configuration of cellular network

+ technologies, however they are currently not supported.

+

+</section>

+<section>

+ <h1>Bluetooth / WiFi Direct Networks</h1>

+

+ This format will eventually also cover configuration of Bluetooth and Wi-Fi

+ Direct network technologies, however they are currently not supported.

+

+</section>

+<section>

+ <h1>Certificates</h1>

+

+ Certificate data is stored in a separate section. Each certificate may be

+ referenced from within the NetworkConfigurations array using a certificate

+ reference. A certificate reference is its GUID.

+

+

+ The top-level field Certificates is an array of

+ objects of Certificate type.

+

+

+ The Certificate type contains the following:

+

+ <dl class="field_list">

+ <dt class="field">GUID</dt>

+ <dd>

+

+ (required)

+ string

+

+ unique identification for certificate

+ </dd>

+ <dt class="field">PKCS12</dt>

+ <dd>

+

+ (required when Remove

+ is false and Type

+ is Client)

+ string

+ For certificates with

+ private keys, this is the base64 encoding of the a PKCS#12 file.

+ </dd>

+ <dt class="field">Remove</dt>

+ <dd>

+

+ (optional, defaults to false)

+ boolean

+

+ If true, remove this certificate (only GUID

+ should be set).

+ </dd>

+ <dt class="field">Trust</dt>

+ <dd>

+

+ (optional if Type

+ is Server

+ or Authority, otherwise ignored, defaults to

+ [])

+ array of string

+

+ A array of trust attributes. Trust can

+ include Web. Web

+ implies that the certificate is to be trusted for HTTPS SSL

+ identification. A typical web certificate authority would

+ have Type set to

+ Authority and Trust

+ set to ["Web"].

+ </dd>

+ <dt class="field">Type</dt>

+ <dd>

+

+ (required if Remove is

+ false)

+ string

+

+ One

+ of Client, Server,

+ or Authority. Client

+ indicates the certificate is for identifying the user or device over HTTPS

+ or for VPN/802.1X. Server indicates the

+ certificate identifies an HTTPS or VPN/802.1X

+ peer. Authority indicates the certificate is a

+ certificate authority and any certificates it issues should be

+ trusted. Note that if Type disagrees with the

+ x509 v3 basic constraints or key usage attributes,

+ the Type field should be honored.

+ </dd>

+ <dt class="field">X509</dt>

+ <dd>

+

+ (required if Remove

+ is false and Type

+ is Server or Authority)

+ string

+ For certificate

+ without private keys, this is the X509 certificate in PEM format.

+ </dd>

+ </dl>

+

+ The passphrase of the PKCS#12 encoding must be empty. Encryption of key data

+ should be handled at the level of the entire file, or the transport of the

+ file.

+

+

+ If a global-scoped network connection refers to a user-scoped certificate,

+ results are undefined, so this configuration should be prohibited by the

+ configuration editor.

+

+</section>

+<section>

+ <h1>Encrypted Configuration</h1>

+

+ We assume that when this format is imported as part of policy that

+ file-level encryption will not be necessary because the policy transport is

+ already encrypted, but when it is imported as a standalone file, it is

+ desirable to encrypt it. Since this file has private information (user

+ names) and secrets (passphrases and private keys) in it, and we want it to

+ be usable as a manual way to distribute network configuration, we must

+ support encryption.

+

+

+ For this standalone export, the entire file will be encrypted in a symmetric

+ fashion with a passphrase stretched using salted PBKDF2 using at least 20000

+ iterations, and encrypted using an AES-256 CBC mode cipher with an SHA-1

+ HMAC on the ciphertext.

+

+

+ An encrypted ONC file's top level object will have the

+ EncryptedConfiguration

+ type. EncryptedConfiguration type contains the

+ following:

+

+ <dl class="field_list">

+ <dt class="field">Cipher</dt>

+ <dd>

+

+ (required)

+ string

+

+ The type of cipher used. Currently only AES256

+ is supported.

+ </dd>

+ <dt class="field">Ciphertext</dt>

+ <dd>

+

+ (required)

+ string

+

+ The raw ciphertext of the encrypted ONC file, base64 encoded.

+ </dd>

+ <dt class="field">HMAC</dt>

+ <dd>

+

+ (required)

+ string

+

+ The HMAC for the ciphertext, base64 encoded.

+ </dd>

+ <dt class="field">HMACMethod</dt>

+ <dd>

+

+ (required)

+ string

+

+ The method used to compute the Hash-based Message Authentication Code

+ (HMAC). Currently only SHA1 is supported.

+ </dd>

+ <dt class="field">Salt</dt>

+ <dd>

+

+ (required)

+ string

+

+ The salt value used during key stretching.

+ </dd>

+ <dt class="field">Stretch</dt>

+ <dd>

+

+ (required)

+ string

+

+ The key stretching algorithm used. Currently

+ only PBKDF2 is supported.

+ </dd>

+ <dt class="field">Iterations</dt>

+ <dd>

+

+ (required)

+ integer

+

+ The number of iterations to use during key stretching.

+ </dd>

+ <dt class="field">IV</dt>

+ <dd>

+

+ (required)

+ string

+

+ The initial vector (IV) used for Cyclic Block Cipher (CBC) mode, base64

+ encoded.

+ </dd>

+ <dt class="field">Type</dt>

+ <dd>

+

+ (required)

+ string

+

+ The type of the ONC file, which must be set

+ to EncryptedConfiguration.

+ </dd>

+ </dl>

+

+ When decrypted, the ciphertext must contain a JSON object of

+ type UnencryptedConfiguration.

+

+</section>

+<section>

+ <h1>String Expansions</h1>

+

+ The values of some fields, such

+ as WiFi.EAP.Identity

+ and VPN.*.Username, are subject to string

+ expansions. These allow one ONC to have basic user-specific variations.

+

+

+ The expansions are:

+

+ <ul>

+ <li>

+ ${LOGIN_ID} - expands to the email address of the user, but before the

+ '@'.

+ </li>

+ <li>

+ ${LOGIN_EMAIL} - expands to the email address of the user.

+ </li>

+ </ul>

+

+ The following SED would properly handle resolution.

+

+ <ul>

+ <li>

+ s/\$\{LOGIN_ID\}/bobquail$1/g

+ </li>

+ <li>

+ s/\$\{LOGIN_EMAIL\}/bobquail@example.com$1/g

+ </li>

+ </ul>

+

+ Example expansions, assuming the user was bobquail@example.com:

+

+ <ul>

+ <li>

+ "${LOGIN_ID}" -> "bobquail"

+ </li>

+ <li>

+ "${LOGIN_ID}@corp.example.com" -> "bobquail@corp.example.com"

+ </li>

+ <li>

+ "${LOGIN_EMAIL}" -> "bobquail@example.com"

+ </li>

+ <li>

+ "${LOGIN_ID}X" -> "bobquailX"

+ </li>

+ <li>

+ "${LOGIN_IDX}" -> "${LOGIN_IDX}"

+ </li>

+ <li>

+ "X${LOGIN_ID}" -> "Xbobquail"

+ </li>

+ </ul>

+</section>

+<section>

+ <h1>Detection</h1>

+

+ This format should be sent in files ending in the .onc extension. When

+ transmitted with a MIME type, the MIME type should be

+ application/x-onc. These two methods make detection of data to be handled in

+ this format, especially when encryption is used and the payload itself is

+ not detectable.

+

+</section>

+<section>

+ <h1>Alternatives considered</h1>

+

+ For the overall format, we considered XML, ASN.1, and protobufs. JSON and

+ ASN.1 seem more widely known than protobufs. Since administrators are

+ likely to want to tweak settings that will not exist in common UIs, we

+ should provide a format that is well known and human modifiable. ASN.1 is

+ not human modifiable. Protobufs formats are known by open source developers

+ but seem less likely to be known by administrators. JSON serialization

+ seems to have good support across languages.

+

+

+ We considered sending the exact connection manager configuration format of

+ an open source connection manager like connman. There are a few issues

+ here, for instance, referencing certificates by identifiers not tied to a

+ particular PKCS#11 token, and tying to one OS's connection manager.

+

+</section>

+<section>

+ <h1>Detection</h1>

+

+ This format should be sent in files ending in the .onc extension. When

+ transmitted with a MIME type, the MIME type should be

+ application/x-onc. These two methods make detection of data to be handled in

+ this format, especially when encryption is used and the payload itself is

+ not detectable.

+

+</section>

+<section>

+ <h1>Mocks</h1>

+<section>

+ <h1>Simple format example: PEAP/MSCHAPv2 network (per device)</h1>

+ <pre>

+{ "Type": "UnencryptedConfiguration", "NetworkConfigurations": [ { "GUID":

+ "{f2c17903-b0e1-8593-b3ca74f977236bd7}", "Name": "MySSID", "Type": "WiFi",

+ "WiFi": { "AutoConnect": true, "HiddenSSID": false, "Security": "WPA-EAP",

+ "SSID": "MySSID", "EAP": { "Outer": "PEAP", "UseSystemCAs": true } } } ],

+ "Certificates": [] }

+ </pre>

+

+ Notice that in this case, we do not provide a username and password - we set

+ SaveCredentials to false so we are prompted every

+ time. We could have passed in username and password - but such a file should

+ be encrypted.

+

+</section>

+<section>

+ <h1>Complex format example: TLS network with client certs (per device)</h1>

+ <pre>

+{ "Type": "UnencryptedConfiguration", "NetworkConfigurations": [ { "GUID":

+ "{00f79111-51e0-e6e0-76b3b55450d80a1b}", "Name": "MyTTLSNetwork", "Type":

+ "WiFi", "WiFi": { "AutoConnect": false, "HiddenSSID": false, "Security":

+ "WPA-EAP", "SSID": "MyTTLSNetwork", "EAP": { "Outer": "EAP-TLS",

+ "UseSystemCAs": true, "ServerCARef": "{6ed8dce9-64c8-d568-d225d7e467e37828}",

+ "ClientCertType": "Pattern", "ClientCertPattern": { "IssuerCARef": [

+ "{6ed8dce9-64c8-d568-d225d7e467e37828}" ], "EnrollmentURI": [

+ "http://fetch-my-certificate.com" ] } } } } ], "Certificates": [ { "Trust":

+ [], "GUID": "{6ed8dce9-64c8-d568-d225d7e467e37828}", "Type": "Authority",

+ "X509":

+ "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="

+ } ] }

+ </pre>

+

+ In this example, the client certificate is not sent in the ONC format, but

+ rather we send a certificate authority which we know will have signed the

+ client certificate that is needed, along with an enrollment URI to navigate

+ to if the required certificate is not yet available on the client.

+

+</section>

+<section>

+ <h1>Simple format example: HTTPS Certificate Authority</h1>

+

+ In this example a new certificate authority is added to be trusted for HTTPS

+ server authentication.

+

+ <pre>

+{ "Type": "UnencryptedConfiguration", "NetworkConfigurations": [],

+ "Certificates": [ { "Trust": [ "Web" ], "GUID":

+ "{f31f2110-9f5f-61a7-a8bd7c00b94237af}", "Type": "Authority", "X509":

+ } ] }

+ </pre>

+</section>

+<section>

+ <h1>Encrypted format example</h1>

+

+In this example a simple wireless network is added, but the file is encrypted

+with the passphrase "test0000".

+

+ <pre>

+{ "Cipher": "AES256", "Ciphertext":

+ "eQ9/r6v29/83M745aa0JllEj4lklt3Nfy4kPPvXgjBt1eTByxXB+FnsdvL6Uca5JBU5aROxfiol2+ZZOkxPmUNNIFZj70pkdqOGVe09ncf0aVBDsAa27veGIG8rG/VQTTbAo7d8QaxdNNbZvwQVkdsAXawzPCu7zSh4NF/hDnDbYjbN/JEm1NzvWgEjeOfqnnw3PnGUYCArIaRsKq9uD0a1NccU+16ZSzyDhX724JNrJjsuxohotk5YXsCK0lP7ZXuXj+nSR0aRIETSQ+eqGhrew2octLXq8cXK05s6ZuVAc0mFKPkntSI/fzBACuPi4ZaGd3YEYiKzNOgKJ+qEwgoE39xp0EXMZOZyjMOAtA6e1ZZDQGWG7vKdTLmLKNztHGrXvlZkyEf1RDs10YgkwwLgUhm0yBJ+eqbxO/RiBXz7O2/UVOkkkVcmeI6yh3BdL6HIYsMMygnZa5WRkd/2/EudoqEnjcqUyGsL+YUqV6KRTC0PH+z7zSwvFs2KygrSM7SIAZM2yiQHTQACkA/YCJDwACkkQOBFnRWTWiX0xmN55WMbgrs/wqJ4zGC9LgdAInOBlc3P+76+i7QLaNjMovQ==",

+ "HMAC": "3ylRy5InlhVzFGakJ/9lvGSyVH0=", "HMACMethod": "SHA1", "IV":

+ "hcm6OENfqG6C/TVO6p5a8g==", "Iterations": 20000, "Salt": "/3O73QadCzA=",

+ "Stretch": "PBKDF2", "Type": "EncryptedConfiguration" }

+ </pre>

+</section>

+<section>

+ <h1>Standalone editor</h1>

+

+ The source code for a Chrome packaged app to generate ONC configuration can

+ be found here:

+ <a href="https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree">"https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree"</a>

+

+</section>

+<section>

+ <h1>Internationalization and Localization</h1>

+

+ UIs will need to have internationalization and localizations - the file

+ format will remain in English.

+

+</section>

+<section>

+ <h1>Security Considerations</h1>

+

+ Data stored inside of open network configuration files is highly sensitive

+ to users and enterprises. The file format itself provides adequate

+ encryption options to allow standalone use-cases to be secure. For automatic

+ updates sent by policy, the policy transport should be made secure. The file

+ should not be stored unencrypted on disk as part of policy fetching and

+ should be cleared from memory after use.

+

+</section>

+<section>

+ <h1>Privacy Considerations</h1>

+

+ Similarly to the security considerations, user names will be present in

+ these files for certain kinds of connections, so any places where the file

+ is transmitted or saved to disk should be secure. On client device, when

+ user names for connections that are user-specific are persisted to disk,

+ they should be stored in a location that is encrypted. Users can also opt in

+ these cases to not save their user credentials in the config file and will

+ instead be prompted when they are needed.

+

+</section>

+</body>

+</html>

« no previous file with comments | « chromeos/docs/onc_spec.css ('k') | chromeos/docs/onc_spec.js » ('j') | no next file with comments »