You will no doubt have already received advisories about vulnerabilities in the 1.0.1-series of OpenSSL[1] affecting TLS enabled services via the heartbeat extension.
The advice for Moonshot is very similar to an advisory you may have received from eduroam[2].
While there are no indications that CVE-2014-0160[3] is being actively exploited via TLS-based EAP-mechanisms or RADIUS/TLS (aka RadSec) at this time, the software used by Moonshot *is* vulnerable to a "heartbleed" attack.
Those of you who have been following Moonshot for a while will be aware that from the outset we have been keen to get the technology adopted as a standard. Thanks to the hard work of the Application Bridging for Federated Access Beyond web (ABFAB) Working Group of the IETF, December saw an important milestone with the publication of three Moonshot-related RFC documents:
RFC 7055
Title: A GSS-API Mechanism for the Extensible Authentication Protocol
Author: Author: S. Hartman, Ed., J. Howlett
General enquiries
The Project Manager is John Chapman. Please feel free to get in touch if you have any questions or require further information.
Getting started
As we ramp up towards the Janet Pilot we are aiming to provide incremental DVD releases. The latest release is Moonshot Pilot Release 1 DVD which can be found at:
http://psec.s3.amazonaws.com/moonshot-images/2013.03.07.iso
And the corresponding .source directory.
This image includes a few bug fixes. The most notable is that the installer is fixed and you can now just boot into the image and install to a running system.
On 14 November 2012 Janet hosted an online briefing on Moonshot, providing information on use cases, benefits, deployment requirements and introducing the Janet Moonshot Service Pilot that will launch in April 2013.
The Moonshot code is available in a GIT repository; see gitweb for the main Moonshot code or all projects
To check out the Moonshot repository on your own system, execute:
git clone http://www.project-moonshot.org/git/moonshot.git cd moonshot git submodule init git submodule update
** Note - this article refers to an old release. Trust Router v1.0 can be found via https://community.ja.net/groups/moonshot/article/trust-router-v10-now-available **
Be one of the first people in the world to run your very own trust router!
As announced at moonshot-community@jiscmail.ac.uk Trust Router 1.0 was officially released (and tagged in the git repository) this week.
The following features have been added since the beta release:
We would like to invite you to participate in a Janet service pilot, to trial Moonshot technology at your organisation. The pilot will begin on 2 April 2013, and run for 18 months.
