• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1<!DOCTYPE html>
2<html>
3<head>
4  <meta charset="utf-8">
5  <link rel="stylesheet" href="onc_spec.css" >
6  <script src="onc_spec.js"></script>
7  <title>Open Network Configuration Format</title>
8</head>
9<body>
10
11<section id="root" class="not_in_toc">
12  <h1>Open Network Configuration Format</h1>
13
14<section class="not_in_toc">
15  <h1>Outline</h1>
16  <div id="outline"></div>
17</section>
18
19<section>
20  <h1>Objective</h1>
21  <p>
22    We would like to create a simple, open, but complete format to describe
23    multiple network configurations for Wi-Fi, Ethernet, Cellular,
24    Bluetooth/WiFi-Direct, and VPN connections in a single file format, in order
25    to simplify and automate network configuration for users.
26  </p>
27</section>
28
29<section>
30  <h1>Background</h1>
31  <p>
32    Configuring networks is a painful and error-prone experience for users. It
33    is a problem shared across desktop, laptop, tablet, and phone users of all
34    operating system types. It is exacerbated in business and schools which
35    often have complex network configurations (VPNs and 802.1X networking) that
36    change often and have many connected devices. Configuration of Wi-Fi is
37    still done manually, often by administrators physically standing next to
38    users working on devices. Certificate distribution is particularly painful
39    which often results in admins instead using passphrases to protect networks
40    or using protocols without client certificates that instead use LDAP
41    passwords for authentication. Even after networks are configured, updates to
42    the network configuration require another round of manual changes, and
43    accidental changes by a user or malicious changes by an attacker can break
44    connectivity or make connections less private or secure.
45  </p>
46
47<section>
48  <h1>Overview</h1>
49  <p>
50    We propose a single-file format for network configuration that is
51    human-readable, can describe all of the common kinds of network
52    configurations, supports integrity checking, certificate and key
53    provisioning, and updating. The file can be encrypted with a single
54    passphrase so that upon entering the passphrase the entire configuration is
55    loaded. The format can be described as an open format to enable multiple OS
56    vendors to interoperate and share configuration editors.
57  </p>
58
59  <p>
60    This format neither supports configuring browser settings nor allows setting
61    other types of system policies.
62  </p>
63</section>
64
65<section>
66  <h1>Infrastructure</h1>
67  <p>
68    A standalone configuration editor will be created, downloadable as a Chrome
69    app. This editor will allow creating, modifying, and encrypting an open
70    network configuration file in a way that is intuitive for a system
71    administrator.
72  </p>
73
74  <p>
75    This file format may be delivered to a user and manually imported into a
76    device.
77  </p>
78
79  <p>
80    This file format may be created by an administrator, stored in a policy
81    repository, and automatically pushed to a device.
82  </p>
83</section>
84
85</section>
86
87<section>
88  <h1>Detailed Design</h1>
89  <p>
90    We use JSON format for the files. The fields in a JSON file are always
91    case-sensitive, so the exact case of the fields in this section must be
92    matched. In addition, the values that are called out as explicit constants
93    must also match the case specified (e.g. WiFi must not be written as wifi,
94    etc.). This document describes a minimum set of required fields and optional
95    fields. Other fields may be created, however, see the
96    implementation-specific fields for guidelines for these fields.
97  </p>
98
99  <p>
100    The JSON consists of a top level dictionary containing
101    a <span class="field">Type</span> field which must have either the
102    value <span class="value">EncryptedConfiguration</span>
103    or <span class="value">UnencryptedConfiguration</span>.
104  </p>
105
106  <p>
107    For a description of the <span class="type">EncryptedConfiguration</span>
108    type, see the section on Encrypted Configuration
109    below. The <span class="type">EncryptedConfiguration</span> format encrypts
110    an unencrypted JSON object.
111  </p>
112
113<section>
114  <h1>GUIDs and Updating</h1>
115  <p>
116    This format allows for importing updated network configurations and
117    certificates by providing GUIDs to each network configuration and
118    certificate so they can be modified or even removed in future updates.
119  </p>
120
121  <p>
122    GUIDs are non-empty strings that are meant to be stable and unique. When
123    they refer to the same entity, they should be the same between ONC files. No
124    two different networks or certificates should have the same GUID, similarly
125    a network and certificate should not have the same GUID. A single ONC file
126    should not contain the same entity twice (with the same GUID). Failing any
127    of these tests indicates the ONC file is not valid.
128  </p>
129
130  <p>
131    Any GUID referred to in an ONC file must be present in the same ONC file. In
132    particular, it is an error to create a certificate in one ONC file and refer
133    to it in a NetworkConfiguration in another ONC file and not define it there,
134    even if the previous ONC file has been imported.
135  </p>
136</section>
137
138<section>
139  <h1>Implementation-specific fields</h1>
140  <p>
141    As there are many different kinds of connections and some that are not yet
142    anticipated may require new fields. This format allows arbitrary other
143    fields to be added.
144  </p>
145
146  <p>
147    Fields and values should follow these general guidelines:
148  </p>
149
150  <ul>
151    <li>
152      Certificates (with and without keys) should always be placed in the
153      certificate section - specifically certificate contents should not be
154      placed in fields directly. Referring to certificates should be done using
155      a field whose name ends in Ref and whose value is the GUID of the
156      certificate, or if the certificate is not contained in this file, its
157      pattern can be described using a field ending in Pattern of
158      <span class="type">CertificatePattern</span> type.
159    </li>
160    <li>
161      Fields should exist in the most-specific object in the hierarchy and
162      should be named CamelCase style.
163    </li>
164    <li>
165      Booleans and integers should be used directly instead of using a
166      stringified version of the type.
167    </li>
168  </ul>
169
170  <p>
171    Any editor of network configuration information should allows the user to
172    modify any fields that are implementation-specific. It may not be present
173    directly in the UI but it should be able to import files with such settings
174    and leave preserve these settings on export.
175  </p>
176</section>
177
178<section>
179  <h1>Unencrypted Configuration</h1>
180  <p>
181    When the top level <span class="field">Type</span> field
182    is <span class="value">UnencryptedConfiguration</span>, the top level JSON
183    has the <span class="type">UnencryptedConfiguration</span>
184    type. <span class="type">UnencryptedConfiguration</span> type contains the
185    following:
186  </p>
187
188  <dl class="field_list">
189    <dt class="field">Type</dt>
190    <dd>
191      <span class="field_meta">
192        (required)
193        <span class="type">string</span>
194      </span>
195      Must be <span class="value">UnencryptedConfiguration</span>.
196    </dd>
197
198    <dt class="field">NetworkConfigurations</dt>
199    <dd>
200      <span class="field_meta">
201        (optional)
202        <span class="type">array of NetworkConfiguration</span>
203      </span>
204      Describes Wi-Fi, Ethernet, VPN, and wireless connections.
205    </dd>
206
207    <dt class="field">Certificates</dt>
208    <dd>
209      <span class="field_meta">
210        (optional)
211        <span class="type">array of Certificate</span>
212      </span>
213      Contains certificates stored in X.509 or PKCS#12 format.
214    </dd>
215  </dl>
216
217  <p class="rule">
218    <span class="rule_id"></span>
219    At least one array (either <span class="field">NetworkConfigurations</span>
220    and/or <span class="field">Certificates</span>) must be present.
221  </p>
222
223<section>
224  <h1>Network Configuration</h1>
225  <p>
226    Field <span class="field">NetworkConfigurations</span> is an array
227    of <span class="type">NetworkConfiguration</span> typed
228    objects. The <span class="type">NetworkConfiguration</span> type contains
229    the following:
230  </p>
231
232  <dl class="field_list">
233    <dt class="field">Ethernet</dt>
234    <dd>
235      <span class="field_meta">
236        (required if <span class="field">Type</span> is
237        <span class="value">Ethernet</span>, otherwise ignored)
238        <span class="type">Ethernet</span>
239      </span>
240      Ethernet settings.
241    </dd>
242
243    <dt class="field">GUID</dt>
244    <dd>
245      <span class="field_meta">
246        (required)
247        <span class="type">string</span>
248      </span>
249      A unique identifier for this network connection, which exists to make it
250      possible to update previously imported configurations. Must be a non-empty
251      string.
252    </dd>
253
254    <dt class="field">IPConfigs</dt>
255    <dd>
256      <span class="field_meta">
257        (optional if <span class="field">Remove</span> is
258        <span class="value">false</span>, otherwise ignored)
259        <span class="type">array of IPConfig</span>
260      </span>
261      Static IPv4 or IPv6 parameters to associate with this connection.
262    </dd>
263
264    <dt class="field">Name</dt>
265    <dd>
266      <span class="field_meta">
267        (required if <span class="field">Remove</span> is
268        <span class="value">false</span>, otherwise ignored)
269        <span class="type">string</span>
270      </span>
271      A user-friendly description of this connection. This name will not be used
272      for referencing and may not be unique. Instead it may be used for
273      describing the network to the user.
274    </dd>
275
276    <dt class="field">Remove</dt>
277    <dd>
278      <span class="field_meta">
279        (optional, defaults to <span class="value">false</span>)
280        <span class="type">boolean</span>
281      </span>
282      If set, remove this network configuration (only GUID should be set).
283    </dd>
284
285    <dt class="field">ProxySettings</dt>
286    <dd>
287      <span class="field_meta">
288        (optional if <span class="field">Remove</span> is
289        <span class="value">false</span>, otherwise ignored)
290        <span class="type">ProxySettings</span>
291      </span>
292      Proxy settings for this network
293    </dd>
294
295    <dt class="field">NameServers</dt>
296    <dd>
297      <span class="field_meta">
298        (optional if <span class="field">Remove</span> is
299        <span class="value">false</span>, otherwise ignored)
300        <span class="type">array of string</span>
301      </span>
302      Array of addresses to use for name servers. If not specified, DHCP values
303      will be used.
304    </dd>
305
306    <dt class="field">SearchDomains</dt>
307    <dd>
308      <span class="field_meta">
309        (optional if <span class="field">Remove</span> is
310        <span class="value">false</span>, otherwise ignored)
311        <span class="type">array of string</span>
312      </span>
313      Array of strings to append to names for resolution. Items in this array
314      should not start with a dot. Example:
315      <span class="snippet">["corp.acme.org", "acme.org"]</span>. If not
316      specified, DHCP values will be used.
317    </dd>
318
319    <dt class="field">VPN</dt>
320    <dd>
321      <span class="field_meta">
322        (required if <span class="field">Type</span> is
323        <span class="value">VPN</span>, otherwise ignored)
324        <span class="type">VPN</span>
325      </span>
326      VPN settings.
327    </dd>
328
329    <dt class="field">WiFi</dt>
330    <dd>
331      <span class="field_meta">
332        (required if <span class="field">Type</span> is
333        <span class="value">WiFi</span>, otherwise ignored)
334        <span class="type">WiFi</span>
335      </span>
336      Wi-Fi settings.
337    </dd>
338
339    <dt class="field">Type</dt>
340    <dd>
341      <span class="field_meta">
342        (required if <span class="field">Remove</span> is
343        <span class="value">false</span>, otherwise ignored)
344        <span class="type">string</span>
345      </span>
346      <span class="rule">
347        <span class="rule_id"></span>
348        Allowed values are <span class="value">Cellular</span>,
349        <span class="value">Ethernet</span>, <span class="value">WiFi</span>,
350        and <span class="value">VPN</span>.
351      </span>
352      Indicates which kind of connection this is.
353    </dd>
354  </dl>
355
356<section>
357  <h1>Ethernet networks</h1>
358  <p>
359    For Ethernet connections, <span class="field">Type</span> must be set to
360    <span class="value">Ethernet</span> and the
361    field <span class="field">Ethernet</span> must be set to an object of
362    type <span class="type">Ethernet</span> containing the following fields:
363  </p>
364
365  <dl class="field_list">
366    <dt class="field">Authentication</dt>
367    <dd>
368      <span class="field_meta">
369        (optional)
370        <span class="type">string</span>
371      </span>
372      <span class="rule">
373        <span class="rule_id"></span>
374        Allowed values are <span class="value">None</span> and
375        <span class="value">8021X</span>.
376      </span>
377    </dd>
378
379    <dt class="field">EAP</dt>
380    <dd>
381      <span class="field_meta">
382        (required if <span class="field">Authentication</span> is
383        <span class="value">8021X</span>, otherwise ignored)
384        <span class="type">EAP</span>
385      </span>
386      EAP settings.
387    </dd>
388  </dl>
389</section>
390
391<section>
392  <h1>IP Config</h1>
393  <p>
394    Field <span class="field">IPConfigs</span> is an array
395    of <span class="type">IPConfig</span>
396    objects. Each <span class="type">IPConfig</span> object describes a
397    particular static IP configuration and contains the following fields:
398  </p>
399
400  <dl class="field_list">
401    <dt class="field">Type</dt>
402    <dd>
403      <span class="field_meta">
404        (required)
405        <span class="type">string</span>
406      </span>
407      <span class="rule">
408        <span class="rule_id"></span>
409        Allowed values are <span class="value">IPv4</span>
410        and <span class="value">IPv6</span>
411      </span>
412      Describes the type of configuration this is.
413    </dd>
414
415    <dt class="field">IPAddress</dt>
416    <dd>
417      <span class="field_meta">
418        (required)
419        <span class="type">string</span>
420      </span>
421      Describes the IPv4 or IPv6 address of a connection, depending on the value
422      of <span class="field">Type</span> field. It should not contain the
423      routing prefix (i.e. should not end in something like /64).
424    </dd>
425
426    <dt class="field">RoutingPrefix</dt>
427    <dd>
428      <span class="field_meta">
429        (required)
430        <span class="type">integer</span>
431      </span>
432      <span class="rule">
433        <span class="rule_id"></span>
434        Must be a number in the range [1, 32] for IPv4 and [1, 128] for IPv6
435        addresses.
436      </span>
437      Describes the routing prefix.
438    </dd>
439
440    <dt class="field">Gateway</dt>
441    <dd>
442      <span class="field_meta">
443        (optional)
444        <span class="type">string</span>
445      </span>
446      Describes the gateway address to use for the configuration. Must match
447      address type specified in <span class="field">Type</span> field. If not
448      specified, DHCP values will be used.
449    </dd>
450
451    <dt class="field">NameServers</dt>
452    <dd>
453      <span class="field_meta">
454        (optional)
455        <span class="type">array of string</span>
456      </span>
457      Array of addresses to use for name servers. Address format must match that
458      specified in the <span class="field">Type</span> field. Overrides values
459      in the top level NameServers field for this configuration. If not
460      specified, top level values will be used.
461    </dd>
462
463    <dt class="field">SearchDomains</dt>
464    <dd>
465      <span class="field_meta">
466        (optional)
467        <span class="type">array of string</span>
468      </span>
469      Array of strings to append to names for resolution. Items in this array
470      should not start with a dot. Example: <span class="snippet">[
471      "corp.acme.org", "acme.org" ]</span>. Overrides values in the top level
472      SearchDomains field for this configuration. If not specified, top level
473      values will be used.
474    </dd>
475  </dl>
476</section>
477
478<section>
479  <h1>Wi-Fi networks</h1>
480  <p>
481    For Wi-Fi connections, <span class="field">Type</span> must be set to
482    <span class="value">WiFi</span> and the
483    field <span class="field">WiFi</span> must be set to an object of
484    type <span class="type">WiFi</span> containing the following fields:
485  </p>
486
487  <dl class="field_list">
488    <dt class="field">AutoConnect</dt>
489    <dd>
490      <span class="field_meta">
491        (optional, defaults to <span class="value">false</span>)
492        <span class="type">boolean</span>
493      </span>
494      Indicating that the network should be connected to automatically when in
495      range.
496    </dd>
497
498    <dt class="field">EAP</dt>
499    <dd>
500      <span class="field_meta">
501        (required if <span class="field">Security</span> is
502        <span class="value">WEP-8021X</span> or
503        <span class="value">WPA-EAP</span>, otherwise ignored)
504        <span class="type">EAP</span>
505      </span>
506      EAP settings.
507    </dd>
508
509    <dt class="field">HiddenSSID</dt>
510    <dd>
511      <span class="field_meta">
512        (optional, defaults to <span class="value">false</span>)
513        <span class="type">boolean</span>
514      </span>
515      Indicating if the SSID will be broadcast.
516    </dd>
517
518    <dt class="field">Passphrase</dt>
519    <dd>
520      <span class="field_meta">
521        (required if <span class="field">Security</span> is
522        <span class="value">WEP-PSK</span> or
523        <span class="value">WPA-PSK</span>, otherwise ignored)
524        <span class="type">string</span>
525      </span>
526      Describes the passphrase for WEP/WPA/WPA2
527      connections. If <span class="value">WEP-PSK</span> is used, the passphrase
528      must be of the format 0x&lt;hex-number&gt;, where &lt;hex-number&gt; is
529      40, 104, 128, or 232 bits.
530    </dd>
531
532    <dt class="field">Security</dt>
533    <dd>
534      <span class="field_meta">
535        (required)
536        <span class="type">string</span>
537      </span>
538      <span class="rule">
539        <span class="rule_id"></span>
540        Allowed values are <span class="value">None</span>,
541        <span class="value">WEP-PSK</span>,
542        <span class="value">WEP-8021X</span>,
543        <span class="value">WPA-PSK</span>, and
544        <span class="value">WPA-EAP</span>.
545      </span>
546    </dd>
547
548    <dt class="field">SSID</dt>
549    <dd>
550      <span class="field_meta">
551        (required)
552        <span class="type">string</span>
553      </span>
554      SSID of the network.
555    </dd>
556  </dl>
557</section>
558
559<section>
560  <h1>VPN networks</h1>
561  <p>
562    There are many kinds of VPNs with widely varying configuration options. We
563    offer standard configuration options for a few common configurations at this
564    time, and may add more later. For all others, implementation specific fields
565    should be used.
566  </p>
567
568  <p>
569    For VPN connections, <span class="field">Type</span> must be set
570    to <span class="value">VPN</span> and the
571    field <span class="field">VPN</span> must be set to an object of
572    type <span class="type">VPN</span> containing the following fields:
573  </p>
574
575  <dl class="field_list">
576    <dt class="field">AutoConnect</dt>
577    <dd>
578      <span class="field_meta">
579        (optional, defaults to <span class="value">false</span>)
580        <span class="type">boolean</span>
581      </span>
582      Indicating that the network should be connected to automatically.
583    </dd>
584
585    <dt class="field">Host</dt>
586    <dd>
587      <span class="field_meta">
588        (optional)
589        <span class="type">string</span>
590      </span>
591      Host name or IP address of server to connect to. The only scenario that
592      does not require a host is a VPN that encrypts but does not tunnel
593      traffic. Standalone IPsec (v1 or v2, cert or PSK based -- this is not the
594      same as L2TP over IPsec) is one such setup. For all other types of VPN,
595      the <span class="field">Host</span> field is required.
596    </dd>
597
598    <dt class="field">IPsec</dt>
599    <dd>
600      <span class="field_meta">
601        (required if <span class="field">Type</span> is
602        <span class="value">IPsec</span> or
603        <span class="value">L2TP-IPsec</span>, otherwise ignored)
604        <span class="type">IPsec</span>
605      </span>
606      IPsec layer settings.
607    </dd>
608
609    <dt class="field">L2TP</dt>
610    <dd>
611      <span class="field_meta">
612        (required if <span class="field">Type</span> is
613        <span class="value">L2TP-IPsec</span>, otherwise ignored)
614        <span class="type">L2TP</span>
615      </span>
616      L2TP layer settings.
617    </dd>
618
619    <dt class="field">OpenVPN</dt>
620    <dd>
621      <span class="field_meta">
622        (required if <span class="field">Type</span> is
623        <span class="value">OpenVPN</span>, otherwise ignored)
624        <span class="type">OpenVPN</span>
625      </span>
626      OpenVPN settings.
627    </dd>
628
629    <dt class="field">Type</dt>
630    <dd>
631      <span class="field_meta">
632        (required)
633        <span class="type">string</span>
634      </span>
635      <span class="rule">
636        <span class="rule_id"></span>
637        Allowed values are <span class="value">IPsec</span>,
638        <span class="value">L2TP-IPsec</span>, and
639        <span class="value">OpenVPN</span>.
640      </span>
641      Type of the VPN.
642    </dd>
643  </dl>
644
645  <section>
646    <h1>IPsec-based VPN types</h1>
647    <p>
648      The <span class="type">IPsec</span> type contains the following:
649    </p>
650
651    <dl class="field_list">
652      <dt class="field">AuthenticationType</dt>
653      <dd>
654        <span class="field_meta">
655          (required)
656          <span class="type">string</span>
657        </span>
658        <span class="rule">
659          <span class="rule_id"></span>
660          Allowed values are <span class="value">PSK</span> and
661          <span class="value">Cert</span>. If <span class="value">Cert</span> is used, <span class="field">ClientCertType</span> and <span class="field">ServerCARefs</span> (or the deprecated <span class="field">ServerCARef</span>) must be set.
662        </span>
663      </dd>
664
665      <dt class="field">ClientCertPattern</dt>
666      <dd>
667        <span class="field_meta">
668          (required if <span class="field">ClientCertType</span>
669          is <span class="value">Pattern</span>, otherwise ignored)
670          <span class="type">CertificatePattern</span>
671        </span>
672        Pattern describing the client certificate.
673      </dd>
674
675      <dt class="field">ClientCertRef</dt>
676      <dd>
677        <span class="field_meta">
678          (required if <span class="field">ClientCertType</span>
679          is <span class="value">Ref</span>, otherwise ignored)
680          <span class="type">string</span>
681        </span>
682        Reference to client certificate stored in certificate section.
683      </dd>
684
685      <dt class="field">ClientCertType</dt>
686      <dd>
687        <span class="field_meta">
688          (required if <span class="field">AuthenticationType</span>
689          is <span class="value">Cert</span>, otherwise ignored)
690          <span class="type">string</span>
691        </span>
692        <span class="rule">
693          <span class="rule_id"></span>
694          Allowed values are <span class="value">Ref</span> and
695          <span class="value">Pattern</span>
696        </span>
697      </dd>
698
699      <dt class="field">EAP</dt>
700      <dd>
701        <span class="field_meta">
702          (optional if <span class="field">IKEVersion</span> is 2, otherwise
703          ignored)
704          <span class="type">EAP</span>
705        </span>
706        Indicating that EAP authentication should be used with the provided
707        parameters.
708      </dd>
709
710      <dt class="field">Group</dt>
711      <dd>
712        <span class="field_meta">
713          (optional if <span class="field">IKEVersion</span> is 1, otherwise
714          ignored)
715          <span class="type">string</span>
716        </span>
717        Group name used for machine authentication.
718      </dd>
719
720      <dt class="field">IKEVersion</dt>
721      <dd>
722        <span class="field_meta">
723          (required)
724          <span class="type">integer</span>
725        </span>
726        Version of IKE protocol to use.
727      </dd>
728
729      <dt class="field">PSK</dt>
730      <dd>
731        <span class="field_meta">
732          (optional if <span class="field">AuthenticationType</span>
733          is <span class="value">PSK</span>, otherwise ignored)
734          <span class="type">string</span>
735        </span>
736        Pre-Shared Key. If not specified, user is prompted at time of
737        connection.
738      </dd>
739
740      <dt class="field">SaveCredentials</dt>
741      <dd>
742        <span class="field_meta">
743          (optional if <span class="field">AuthenticationType</span>
744          is <span class="value">PSK</span>, otherwise ignored, defaults
745          to <span class="value">false</span>)
746          <span class="type">boolean</span>
747        </span>
748        If <span class="value">false</span>, require user to enter credentials
749        (PSK) each time they connect.
750      </dd>
751
752      <dt class="field">ServerCARefs</dt>
753      <dd>
754        <span class="field_meta">
755          (optional if <span class="field">AuthenticationType</span>
756          is <span class="value">Cert</span>, otherwise rejected)
757          <span class="type">array of string</span>
758        </span>
759        Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset.
760      </dd>
761
762      <dt class="field">ServerCARef</dt>
763      <dd>
764        <span class="field_meta">
765          (optional if <span class="field">AuthenticationType</span>
766          is <span class="value">Cert</span>, otherwise rejected)
767          <span class="type">string</span>
768        </span>
769        DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
770        Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
771      </dd>
772
773      <dt class="field">XAUTH</dt>
774      <dd>
775        <span class="field_meta">
776          (optional if <span class="field">IKEVersion</span> is 1, otherwise
777          ignored)
778          <span class="type">XAUTH</span>
779        </span>
780        Describing XAUTH credentials. XAUTH is not used if this object is not
781        present.
782      </dd>
783    </dl>
784
785    <p class="rule">
786      <span class="rule_id"></span>
787      If <span class="field">AuthenticationType</span> is set to <span class="value">Cert</span>, <span class="field">ServerCARefs</span> or <span class="field">ServerCARef</span> must be set.
788    </p>
789
790    <p class="rule">
791      <span class="rule_id"></span>
792      At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
793    </p>
794
795    <p>
796      <span class="type">L2TP</span> type contains the following:
797    </p>
798
799    <dl class="field_list">
800      <dt class="field">Password</dt>
801      <dd>
802        <span class="field_meta">
803          (optional)
804          <span class="type">string</span>
805        </span>
806        User authentication password. If not specified, user is prompted at time
807        of connection.
808      </dd>
809
810      <dt class="field">SaveCredentials</dt>
811      <dd>
812        <span class="field_meta">
813          (optional, defaults to <span class="value">false</span>)
814          <span class="type">boolean</span>
815        </span>
816        If <span class="value">false</span>, require user to enter credentials
817        each time they connect.
818      </dd>
819
820      <dt class="field">Username</dt>
821      <dd>
822        <span class="field_meta">
823          (optional)
824          <span class="type">string</span>
825        </span>
826        User identity. This value is subject to string expansions. If not
827        specified, user is prompted at time of connection.
828      </dd>
829    </dl>
830
831    <p>
832      <span class="type">XAUTH</span> type contains the following:
833    </p>
834
835    <dl class="field_list">
836      <dt class="field">Password</dt>
837      <dd>
838        <span class="field_meta">
839          (optional)
840          <span class="type">string</span>
841        </span>
842        XAUTH password. If not specified, user is prompted at time of
843        connection.
844      </dd>
845
846      <dt class="field">SaveCredentials</dt>
847      <dd>
848        <span class="field_meta">
849          (optional, defaults to <span class="value">false</span>)
850          <span class="type">boolean</span>
851        </span>
852        If <span class="value">false</span>, require user to enter credentials
853        each time they connect.
854      </dd>
855
856      <dt class="field">Username</dt>
857      <dd>
858        <span class="field_meta">
859          (optional)
860          <span class="type">string</span>
861        </span>
862        XAUTH user name. This value is subject to string expansions. If not
863        specified, user is prompted at time of connection.
864      </dd>
865    </dl>
866
867<section>
868  <h1>IPsec IKE v1 VPN connections</h1>
869  <p>
870    <span class="field">VPN.Type</span> must
871    be <span class="value">IPsec</span>, <span class="field">IKEVersion</span>
872    must be 1. Do not use this for L2TP over IPsec. This may be used for
873    machine-authentication-only IKEv1 or for IKEv1 with XAUTH. See
874    the <span class="type">IPsec</span> type described below.
875  </p>
876</section>
877
878<section>
879  <h1>IPsec IKE v2 VPN connections</h1>
880  <p>
881    <span class="field">VPN.Type</span> must
882    be <span class="value">IPsec</span>, <span class="field">IKEVersion</span>
883    must be 2. This may be used with EAP-based user authentication.
884  </p>
885</section>
886
887<section>
888  <h1>L2TP over IPsec VPN connections</h1>
889  <p>
890    There are two major configurations L2TP over IPsec which depend on how IPsec
891    is authenticated. In either case <span class="field">Type</span> must be
892    <span class="value">L2TP-IPsec</span>. They are described below.
893  </p>
894
895  <p>
896    L2TP over IPsec with pre-shared key:
897  </p>
898
899  <ul>
900    <li>The field <span class="field">IPsec</span> must be present and have the
901    following settings:
902      <ul>
903        <li><span class="field">IKEVersion</span> must be 1.</li>
904        <li><span class="field">AuthenticationType</span> must be PSK.</li>
905        <li><span class="field">XAUTH</span> must not be set.</li>
906      </ul>
907    </li>
908    <li>The field <span class="field">L2TP</span> must be present.</li>
909  </ul>
910</section>
911
912</section>
913
914<section>
915  <h1>OpenVPN connections and types</h1>
916  <p>
917    <span class="field">VPN.Type</span> must be
918    <span class="value">OpenVPN</span>.
919  </p>
920
921  <p>
922    <span class="type">OpenVPN</span> type contains the following:
923  </p>
924
925  <dl class="field_list">
926    <dt class="field">Auth</dt>
927    <dd>
928      <span class="field_meta">
929        (optional, defaults to <span class="value">SHA1</span>)
930        <span class="type">string</span>
931      </span>
932    </dd>
933
934    <dt class="field">AuthRetry</dt>
935    <dd>
936      <span class="field_meta">
937        (optional, defaults to <span class="value">none</span>)
938        <span class="type">string</span>
939      </span>
940      <span class="rule">
941        <span class="rule_id"></span>
942        Allowed values are <span class="value">none</span>,
943        <span class="value">nointeract</span>, and
944        <span class="value">interact</span>.
945      </span>
946      Controls how OpenVPN responds to username/password verification
947      errors:<br> Either fail with error on retry
948      (<span class="value">none</span>), retry without asking for authentication
949      (<span class="value">nointeract</span>), or ask again for authentication
950      each time (<span class="value">interact</span>).
951    </dd>
952
953    <dt class="field">AuthNoCache</dt>
954    <dd>
955      <span class="field_meta">
956        (optional, defaults to <span class="value">false</span>)
957        <span class="type">boolean</span>
958      </span>
959      Disable caching of credentials in memory.
960    </dd>
961
962    <dt class="field">Cipher</dt>
963    <dd>
964      <span class="field_meta">
965        (optional, defaults to <span class="value">BF-CBC</span>)
966        <span class="type">string</span>
967      </span>
968      Cipher to use.
969    </dd>
970
971    <dt class="field">ClientCertRef</dt>
972    <dd>
973      <span class="field_meta">
974        (required if <span class="field">ClientCertType</span> is
975        <span class="value">Ref</span>, otherwise ignored)
976        <span class="type">string</span>
977      </span>
978      Reference to client certificate stored in certificate section.
979    </dd>
980
981    <dt class="field">ClientCertPattern</dt>
982    <dd>
983      <span class="field_meta">
984        (required if <span class="field">ClientCertType</span> is
985        <span class="value">Pattern</span>, otherwise ignored)
986        <span class="type">CertificatePattern</span>
987      </span>
988      Pattern to use to find the client certificate.
989    </dd>
990
991    <dt class="field">ClientCertType</dt>
992    <dd>
993      <span class="field_meta">
994        (required)
995        <span class="type">string</span>
996      </span>
997      <span class="rule">
998        <span class="rule_id"></span>
999        Allowed values are <span class="value">Ref</span>,
1000        <span class="value">Pattern</span>, and <span class="value">None</span>.
1001      </span>
1002      <span class="value">None</span> implies that the server is configured to
1003      not require client certificates.
1004    </dd>
1005
1006    <dt class="field">CompLZO</dt>
1007    <dd>
1008      <span class="field_meta">
1009        (optional, defaults to <span class="value">adaptive</span>)
1010        <span class="type">string</span>
1011      </span>
1012      Decides to fast LZO compression with <span class="value">true</span>
1013      and <span class="value">false</span> as other values.
1014    </dd>
1015
1016    <dt class="field">CompNoAdapt</dt>
1017    <dd>
1018      <span class="field_meta">
1019        (optional, defaults to <span class="value">false</span>)
1020        <span class="type">boolean</span>
1021      </span>
1022      Disables adaptive compression.
1023    </dd>
1024
1025    <dt class="field">KeyDirection</dt>
1026    <dd>
1027      <span class="field_meta">
1028        (optional)
1029        <span class="type">string</span>
1030      </span>
1031      Passed as --key-direction.
1032    </dd>
1033
1034    <dt class="field">NsCertType</dt>
1035    <dd>
1036      <span class="field_meta">
1037        (optional)
1038        <span class="type">string</span>
1039      </span>
1040      If set, checks peer certificate type. Should only be set
1041      to <span class="value">server</span> if set.
1042    </dd>
1043
1044    <dt class="field">Password</dt>
1045    <dd>
1046      <span class="field_meta">
1047        (optional)
1048        <span class="type">string</span>
1049      </span>
1050      XAUTH password. If not specified, user is prompted at time of connection.
1051    </dd>
1052
1053    <dt class="field">Port</dt>
1054    <dd>
1055      <span class="field_meta">
1056        (optional, defaults to <span class="value">1194</span>)
1057        <span class="type">integer</span>
1058      </span>
1059      Port for connecting to server.
1060    </dd>
1061
1062    <dt class="field">Proto</dt>
1063    <dd>
1064      <span class="field_meta">
1065        (optional, defaults to <span class="value">udp</span>)
1066        <span class="type">string</span>
1067      </span>
1068      Protocol for communicating with server.
1069    </dd>
1070
1071    <dt class="field">PushPeerInfo</dt>
1072    <dd>
1073      <span class="field_meta">
1074        (optional, defaults to <span class="value">false</span>)
1075        <span class="type">boolean</span>
1076      </span>
1077    </dd>
1078
1079    <dt class="field">RemoteCertEKU</dt>
1080    <dd>
1081      <span class="field_meta">
1082        (optional)
1083        <span class="type">string</span>
1084      </span>
1085      Require that the peer certificate was signed with this explicit extended
1086      key usage in oid notation.
1087    </dd>
1088
1089    <dt class="field">RemoteCertKU</dt>
1090    <dd>
1091      <span class="field_meta">
1092        (optional, defaults to [])
1093        <span class="type">array of string</span>
1094      </span>
1095      Require the given array of key usage numbers. These are strings that are
1096      hex encoded numbers.
1097    </dd>
1098
1099    <dt class="field">RemoteCertTLS</dt>
1100    <dd>
1101      <span class="field_meta">
1102        (optional, defaults to <span class="value">server</span>)
1103        <span class="type">string</span>
1104      </span>
1105      <span class="rule">
1106        <span class="rule_id"></span>
1107        Allowed values are <span class="value">none</span> and
1108        <span class="value">server</span>.
1109      </span>
1110      Require peer certificate signing based on RFC3280 TLS rules.
1111    </dd>
1112
1113    <dt class="field">RenegSec</dt>
1114    <dd>
1115      <span class="field_meta">
1116        (optional, defaults to <span class="value">3600</span>)
1117        <span class="type">integer</span>
1118      </span>
1119      Renegotiate data channel key after this number of seconds.
1120    </dd>
1121
1122    <dt class="field">SaveCredentials</dt>
1123    <dd>
1124      <span class="field_meta">
1125        (optional, defaults to <span class="value">false</span>)
1126        <span class="type">boolean</span>
1127      </span>
1128      If <span class="value">false</span>, require user to enter credentials
1129      each time they connect.
1130    </dd>
1131
1132    <dt class="field">ServerCARefs</dt>
1133    <dd>
1134      <span class="field_meta">
1135        (optional)
1136        <span class="type">array of string</span>
1137      </span>
1138      Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. See also OpenVPN's command line option "--ca". If this field is set, <span class="field">ServerCARef</span> must be unset.
1139    </dd>
1140
1141    <dt class="field">ServerCARef</dt>
1142    <dd>
1143      <span class="field_meta">
1144        (optional)
1145        <span class="type">string</span>
1146      </span>
1147      DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
1148      Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
1149    </dd>
1150
1151    <dt class="field">ServerCertRef</dt>
1152    <dd>
1153      <span class="field_meta">
1154        (optional)
1155        <span class="type">string</span>
1156      </span>
1157      Reference to a certificate. Peer's signed certificate.
1158    </dd>
1159
1160    <dt class="field">ServerPollTimeout</dt>
1161    <dd>
1162      <span class="field_meta">
1163        (optional)
1164        <span class="type">integer</span>
1165      </span>
1166      Spend no more than this number of seconds before trying the next server.
1167    </dd>
1168
1169    <dt class="field">Shaper</dt>
1170    <dd>
1171      <span class="field_meta">
1172        (optional)
1173        <span class="type">integer</span>
1174      </span>
1175      If not specified no bandwidth limiting, otherwise limit bandwidth of
1176      outgoing tunnel data to this number of bytes per second.
1177    </dd>
1178
1179    <dt class="field">StaticChallenge</dt>
1180    <dd>
1181      <span class="field_meta">
1182        (optional)
1183        <span class="type">string</span>
1184      </span>
1185      String is used in static challenge response. Note that echoing is always
1186      done.
1187    </dd>
1188
1189    <dt class="field">TLSAuthContents</dt>
1190    <dd>
1191      <span class="field_meta">
1192        (optional)
1193        <span class="type">string</span>
1194      </span>
1195      If not set, tls auth is not used. If set, this is the TLS Auth key
1196      contents (usually starts with "-----BEGIN OpenVPN Static Key..."
1197    </dd>
1198
1199    <dt class="field">TLSRemote</dt>
1200    <dd>
1201      <span class="field_meta">
1202        (optional)
1203        <span class="type">string</span>
1204      </span>
1205      If set, only allow connections to server hosts with X509 name or common
1206      name equal to this string.
1207    </dd>
1208
1209    <dt class="field">Username</dt>
1210    <dd>
1211      <span class="field_meta">
1212        (optional)
1213        <span class="type">string</span>
1214      </span>
1215      OpenVPN user name. This value is subject to string expansions. If not
1216      specified, user is prompted at time of connection.
1217    </dd>
1218
1219    <dt class="field">Verb</dt>
1220    <dd>
1221      <span class="field_meta">
1222        (optional)
1223        <span class="type">string</span>
1224      </span>
1225      Verbosity level, defaults to OpenVpn's default if not specified.
1226    </dd>
1227
1228    <dt class="field">VerifyHash</dt>
1229    <dd>
1230      <span class="field_meta">
1231        (optional)
1232        <span class="type">string</span>
1233      </span>
1234      If set, this value is passed as the "--verify-hash" argument to OpenVPN,
1235      which specifies the SHA1 fingerprint for the level-1 certificate.
1236    </dd>
1237
1238    <dt class="field">VerifyX509</dt>
1239    <dd>
1240      <span class="field_meta">
1241        (optional)
1242        <span class="type">VerifyX509</span>
1243      </span>
1244       If set, the "--verify-x509-name" argument is passed to OpenVPN with the values of this object and only connections will be accepted if a host's X.509 name is equal to the given name.
1245    </dd>
1246  </dl>
1247
1248  <p class="rule">
1249    <span class="rule_id"></span>
1250    At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1251  </p>
1252
1253  <p>
1254    <span class="type">VerifyX509</span> type contains the following:
1255  </p>
1256  <dl class="field_list">
1257    <dt class="field">Name</dt>
1258    <dd>
1259      <span class="field_meta">
1260        (required)
1261        <span class="type">string</span>
1262      </span>
1263      The name that the host's X.509 name is compared to. Which host name is compared depends on the value of <span class="field">Type</span>.
1264    </dd>
1265
1266    <dt class="field">Type</dt>
1267    <dd>
1268      <span class="field_meta">
1269        (optional)
1270        <span class="type">string</span>
1271      </span>
1272      Determines which of the host's X.509 names will be verified. Allowed values are <span class="value">name</span>, <span class="value">name-prefix</span> and <span class="value">subject</span>. See OpenVPN's documentation for "--verify-x509-name" for the meaning of each value. Defaults to OpenVPN's default if not specified.
1273    </dd>
1274  </dl>
1275
1276</section>
1277
1278</section>
1279
1280<section>
1281  <h1>Client certificate patterns</h1>
1282  <p>
1283    In order to allow clients to securely key their private keys and request
1284    certificates through PKCS#10 format or through a web flow, we provide
1285    alternative CertificatePattern types. The
1286    <span class="type">CertificatePattern</span> type contains the following:
1287  </p>
1288
1289  <dl class="field_list">
1290    <dt class="field">IssuerCARef</dt>
1291    <dd>
1292      <span class="field_meta">
1293        (optional)
1294        <span class="type">array of string</span>
1295      </span>
1296      Array of references to certificates. At least one must have signed the
1297      client certificate.
1298    </dd>
1299
1300    <dt class="field">Issuer</dt>
1301    <dd>
1302      <span class="field_meta">
1303        (optional)
1304        <span class="type">IssuerSubjectPattern</span>
1305      </span>
1306      Pattern to match the issuer X.509 settings against. If not specified, the
1307      only checks done will be a signature check against
1308      the <span class="field">IssuerCARef</span> field. Issuer of the
1309      certificate must match this field exactly to match the pattern.
1310    </dd>
1311
1312    <dt class="field">Subject</dt>
1313    <dd>
1314      <span class="field_meta">
1315        (optional)
1316        <span class="type">IssuerSubjectPattern</span>
1317      </span>
1318      Pattern to match the subject X.509 settings against. If not specified, the
1319      subject settings are not checked and any certificate matches. Subject of
1320      the certificate must match this field exactly to match the pattern.
1321    </dd>
1322
1323    <dt class="field">EnrollmentURI</dt>
1324    <dd>
1325      <span class="field_meta">
1326        (optional)
1327        <span class="type">array of string</span>
1328      </span>
1329      If no certificate matches this CertificatePattern, the first URI from this
1330      array with a recognized scheme is navigated to, with the intention this
1331      informs the user how to either get the certificate or gets the certificate
1332      for the user. For instance, the array may be [
1333      "chrome-extension://asakgksjssjwwkeielsjs/fetch-client-cert.html",
1334      "http://intra/connecting-to-wireless.html" ] so that for Chrome browsers a
1335      Chrome app or extension is shown to the user, but for other browsers, a
1336      web URL is shown.
1337    </dd>
1338  </dl>
1339
1340  <p>
1341    The <span class="type">IssuerSubjectPattern</span> type contains the
1342    following:
1343  </p>
1344
1345  <dl class="field_list">
1346    <dt class="field">CommonName</dt>
1347    <dd>
1348      <span class="field_meta">
1349        (optional)
1350        <span class="type">string</span>
1351      </span>
1352      Certificate subject's commonName must match this string if present.
1353    </dd>
1354
1355    <dt class="field">Locality</dt>
1356    <dd>
1357      <span class="field_meta">
1358        (optional)
1359        <span class="type">string</span>
1360      </span>
1361      Certificate subject's location must match this string if present.
1362    </dd>
1363
1364    <dt class="field">Organization</dt>
1365    <dd>
1366      <span class="field_meta">
1367        (optional)
1368        <span class="type">string</span>
1369      </span>
1370      At least one of certificate subject's organizations must match this string
1371      if present.
1372    </dd>
1373
1374    <dt class="field">OrganizationalUnit</dt>
1375    <dd>
1376      <span class="field_meta">
1377        (optional)
1378        <span class="type">string</span>
1379      </span>
1380      At least one of certificate subject's organizational units must match this
1381      string if present.
1382    </dd>
1383  </dl>
1384
1385  <p class="rule">
1386    <span class="rule_id"></span>
1387    One field in <span class="field">Subject</span>,
1388    <span class="field">Issuer</span>, or <span class="field">IssuerCARef</span>
1389    must be given for a <span class="type">CertificatePattern</span> typed field
1390    to be valid.
1391  </p>
1392
1393  <p>
1394    For a certificate to be considered matching, it must match all
1395    the fields in the certificate pattern. If multiple certificates match, the
1396    certificate with the latest issue date that is still in the past, and hence
1397    valid, will be used.
1398  </p>
1399
1400  <p>
1401    If <span class="field">EnrollmentURI</span> is not given and no match is
1402    found to this pattern, the importing tool may show an error to the user.
1403  </p>
1404</section>
1405
1406<section>
1407  <h1>Proxy settings</h1>
1408  <p>
1409    Every network can be configured to use a
1410    proxy. The <span class="type">ProxySettings</span> type contains the
1411    following:
1412  </p>
1413
1414  <dl class="field_list">
1415    <dt class="field">Type</dt>
1416    <dd>
1417      <span class="field_meta">
1418        (required)
1419        <span class="type">string</span>
1420      </span>
1421      <span class="rule">
1422        <span class="rule_id"></span>
1423        Allowed values are <span class="value">Direct</span>,
1424        <span class="value">Manual</span>, <span class="value">PAC</span>, and
1425        <span class="value">WPAD</span>.
1426      </span>
1427      <span class="value">PAC</span> indicates Proxy Auto-Configuration.
1428      <span class="value">WPAD</span> indicates Web Proxy Autodiscovery.
1429    </dd>
1430
1431    <dt class="field">Manual</dt>
1432    <dd>
1433      <span class="field_meta">
1434        (required if <span class="field">Type</span>
1435        is <span class="value">Manual</span>, otherwise ignored)
1436        <span class="type">ManualProxySettings</span>
1437      </span>
1438      Manual proxy settings.
1439    </dd>
1440
1441    <dt class="field">ExcludeDomains</dt>
1442    <dd>
1443      <span class="field_meta">
1444        (optional if <span class="field">Type</span>
1445        is <span class="value">Manual</span>, otherwise ignored)
1446        <span class="type">array of string</span>
1447      </span>
1448      Domains and hosts for which to exclude proxy settings.
1449    </dd>
1450
1451    <dt class="field">PAC</dt>
1452    <dd>
1453      <span class="field_meta">
1454        (required if <span class="field">Type</span> is
1455        <span class="value">PAC</span>, otherwise ignored)
1456        <span class="type">string</span>
1457      </span>
1458      URL of proxy auto-config file.
1459    </dd>
1460  </dl>
1461
1462  <p>
1463    The <span class="type">ManualProxySettings</span> type contains the
1464    following:
1465  </p>
1466
1467  <dl class="field_list">
1468    <dt class="field">HTTPProxy</dt>
1469    <dd>
1470      <span class="field_meta">
1471        (optional)
1472        <span class="type">ProxyLocation</span>
1473      </span>
1474      settings for HTTP proxy.
1475    </dd>
1476
1477    <dt class="field">SecureHTTPProxy</dt>
1478    <dd>
1479      <span class="field_meta">
1480        (optional)
1481        <span class="type">ProxyLocation</span>
1482      </span>
1483      settings for secure HTTP proxy.
1484    </dd>
1485
1486    <dt class="field">FTPProxy</dt>
1487    <dd>
1488      <span class="field_meta">
1489        (optional)
1490        <span class="type">ProxyLocation</span>
1491      </span>
1492      settings for FTP proxy
1493    </dd>
1494
1495    <dt class="field">SOCKS</dt>
1496    <dd>
1497      <span class="field_meta">
1498        (optional)
1499        <span class="type">ProxyLocation</span>
1500      </span>
1501      settings for SOCKS proxy.
1502    </dd>
1503  </dl>
1504
1505  <p>
1506    The <span class="type">ProxyLocation</span> type contains the following:
1507  </p>
1508
1509  <dl class="field_list">
1510    <dt class="field">Host</dt>
1511    <dd>
1512      <span class="field_meta">
1513        (required)
1514        <span class="type">string</span>
1515      </span>
1516      Host (or IP address) to use for proxy
1517    </dd>
1518
1519    <dt class="field">Port</dt>
1520    <dd>
1521      <span class="field_meta">
1522        (required)
1523        <span class="type">integer</span>
1524      </span>
1525      Port to use for proxy
1526    </dd>
1527  </dl>
1528</section>
1529
1530<section>
1531  <h1>EAP configurations</h1>
1532  <p>
1533    For networks with 802.1X authentication, an <span class="type">EAP</span>
1534    type exists to configure the
1535    authentication. The <span class="type">EAP</span> type contains the
1536    following:
1537  </p>
1538
1539  <dl class="field_list">
1540    <dt class="field">AnonymousIdentity</dt>
1541    <dd>
1542      <span class="field_meta">
1543        (optional if <span class="field">Outer</span> is
1544        <span class="value">PEAP</span> or <span class="value">EAP-TTLS</span>,
1545        otherwise ignored)
1546        <span class="type">string</span>
1547      </span>
1548      For tunnelling protocols only, this indicates the identity of the user
1549      presented to the outer protocol. This value is subject to string
1550      expansions. If not specified, use empty string.
1551    </dd>
1552
1553    <dt class="field">ClientCertPattern</dt>
1554    <dd>
1555      <span class="field_meta">
1556        (required if <span class="field">ClientCertType</span> is
1557        <span class="value">Pattern</span>, otherwise ignored)
1558        <span class="type">CertificatePattern</span>
1559      </span>
1560      Pattern to use to find the client certificate.
1561    </dd>
1562
1563    <dt class="field">ClientCertRef</dt>
1564    <dd>
1565      <span class="field_meta">
1566        (required if <span class="field">ClientCertType</span> is
1567        <span class="value">Ref</span>, otherwise ignored)
1568        <span class="type">string</span>
1569      </span>
1570      Reference to client certificate stored in certificate section.
1571    </dd>
1572
1573    <dt class="field">ClientCertType</dt>
1574    <dd>
1575      <span class="field_meta">
1576        (optional) <span class="type">string</span>
1577      </span>
1578      <span class="rule">
1579        <span class="rule_id"></span>
1580        Allowed values are <span class="value">Ref</span>, and
1581        <span class="value">Pattern</span>.
1582      </span>
1583    </dd>
1584
1585    <dt class="field">Identity</dt>
1586    <dd>
1587      <span class="field_meta">
1588        (optional)
1589        <span class="type">string</span>
1590      </span>
1591      Identity of user. For tunneling outer protocols
1592      (<span class="value">PEAP</span>, <span class="value">EAP-TTLS</span>, and
1593      <span class="value">EAP-FAST</span>), this is used to authenticate inside
1594      the tunnel, and <span class="field">AnonymousIdentity</span> is used for
1595      the EAP identity outside the tunnel. For non-tunneling outer protocols,
1596      this is used for the EAP identity. This value is subject to string
1597      expansions.
1598    </dd>
1599
1600    <dt class="field">Inner</dt>
1601    <dd>
1602      <span class="field_meta">
1603        (optional if <span class="field">Outer</span> is
1604        <span class="value">EAP-FAST</span>, <span class="value">EAP-TTLS</span>
1605        or <span class="value">PEAP</span>, otherwise ignored, defaults to
1606        <span class="value">Automatic</span>)
1607        <span class="type">string</span>
1608      </span>
1609      <span class="rule">
1610        <span class="rule_id"></span>
1611        Allowed values are <span class="value">Automatic</span>,
1612        <span class="value">MD5</span>, <span class="value">MSCHAPv2</span>,
1613        <span class="value">EAP-MSCHAPv2</span>, and
1614        <span class="value">PAP</span>.
1615      </span>
1616      For tunneling outer protocols.
1617    </dd>
1618
1619    <dt class="field">Outer</dt>
1620    <dd>
1621      <span class="field_meta">
1622        (required)
1623        <span class="type">string</span>
1624      </span>
1625      <span class="rule">
1626        <span class="rule_id"></span>
1627        Allowed values are <span class="value">LEAP</span>,
1628        <span class="value">EAP-AKA</span>, <span class="value">EAP-FAST</span>,
1629        <span class="value">EAP-TLS</span>, <span class="value">EAP-TTLS</span>,
1630        <span class="value">EAP-SIM</span> and <span class="value">PEAP</span>.
1631      </span>
1632    </dd>
1633
1634    <dt class="field">Password</dt>
1635    <dd>
1636      <span class="field_meta">
1637        (optional)
1638        <span class="type">string</span>
1639      </span>
1640      Password of user. If not specified, defaults to prompting the user.
1641    </dd>
1642
1643    <dt class="field">SaveCredentials</dt>
1644    <dd>
1645      <span class="field_meta">
1646        (optional, defaults to <span class="value">false</span>)
1647        <span class="type">boolean</span>
1648      </span>
1649      If <span class="value">false</span>, require user to enter credentials
1650      each time they connect. Specifying <span class="field">Identity</span>
1651      and/or <span class="field">Password</span> when
1652      <span class="field">SaveCredentials</span> is
1653      <span class="value">false</span> is not allowed.
1654    </dd>
1655
1656    <dt class="field">ServerCARefs</dt>
1657    <dd>
1658      <span class="field_meta">
1659        (optional)
1660        <span class="type">array of string</span>
1661      </span>
1662      Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
1663    </dd>
1664
1665    <dt class="field">ServerCARef</dt>
1666    <dd>
1667      <span class="field_meta">
1668        (optional)
1669        <span class="type">string</span>
1670      </span>
1671      DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
1672      Reference to a CA certificate in <span class="field">Certificates</span>. If this field is set, <span class="field">ServerCARefs</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
1673    </dd>
1674
1675    <dt class="field">UseSystemCAs</dt>
1676    <dd>
1677      <span class="field_meta">
1678        (optional, defaults to <span class="value">true</span>)
1679        <span class="type">boolean</span>
1680      </span>
1681      Required server certificate to be signed by "system default certificate
1682      authorities". If both <span class="field">ServerCARefs</span> (or <span class="field">ServerCARef</span>)
1683      and <span class="field">UseSystemCAs</span> are supplied, a server
1684      certificate will be allowed if it either has a chain of trust to a system
1685      CA or to one of the given CA certificates. If <span class="field">UseSystemCAs</span>
1686      is <span class="value">false</span>, and no <span class="field">ServerCARef</span> is set, the certificate
1687      must be a self signed certificate, and no CA signature is required.
1688    </dd>
1689  </dl>
1690
1691  <p class="rule">
1692    <span class="rule_id"></span>
1693    At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1694  </p>
1695</section>
1696
1697<section>
1698  <h1>Cellular Networks</h1>
1699  <p>
1700    This format will eventually also cover configuration of cellular network
1701    technologies, however they are currently not supported.
1702  </p>
1703</section>
1704
1705<section>
1706  <h1>Bluetooth / WiFi Direct Networks</h1>
1707  <p>
1708    This format will eventually also cover configuration of Bluetooth and Wi-Fi
1709    Direct network technologies, however they are currently not supported.
1710  </p>
1711</section>
1712
1713</section>
1714
1715<section>
1716  <h1>Certificates</h1>
1717  <p>
1718    Certificate data is stored in a separate section. Each certificate may be
1719    referenced from within the NetworkConfigurations array using a certificate
1720    reference. A certificate reference is its GUID.
1721  </p>
1722
1723  <p>
1724    The top-level field <span class="field">Certificates</span> is an array of
1725    objects of <span class="type">Certificate</span> type.
1726  </p>
1727
1728  <p>
1729    The <span class="type">Certificate</span> type contains the following:
1730  </p>
1731
1732  <dl class="field_list">
1733    <dt class="field">GUID</dt>
1734    <dd>
1735      <span class="field_meta">
1736        (required)
1737        <span class="type">string</span>
1738      </span>
1739      A unique identifier for this certificate. Must be a non-empty string.
1740    </dd>
1741
1742    <dt class="field">PKCS12</dt>
1743    <dd>
1744      <span class="field_meta">
1745        (required if <span class="field">Type</span> is
1746        <span class="value">Client</span>, otherwise ignored)
1747        <span class="type">string</span>
1748      </span> For certificates with
1749      private keys, this is the base64 encoding of the a PKCS#12 file.
1750    </dd>
1751
1752    <dt class="field">Remove</dt>
1753    <dd>
1754      <span class="field_meta">
1755        (optional, defaults to <span class="value">false</span>)
1756        <span class="type">boolean</span>
1757      </span>
1758      If <span class="value">true</span>, remove this certificate (only GUID
1759      should be set).
1760    </dd>
1761
1762    <dt class="field">TrustBits</dt>
1763    <dd>
1764      <span class="field_meta">
1765        (optional if <span class="field">Type</span>
1766        is <span class="value">Server</span>
1767        or <span class="value">Authority</span>, otherwise ignored, defaults to
1768        [])
1769        <span class="type">array of string</span>
1770      </span>
1771      An array of trust flags. Clients should ignore unknown flags. For
1772      backwards compatibility, each flag should only increase the trust and
1773      never restrict. The trust flag <span class="value">Web</span> implies that
1774      the certificate is to be trusted for HTTPS SSL identification. A typical
1775      web certificate authority would have <span class="field">Type</span> set
1776      to <span class="value">Authority</span> and
1777      <span class="field">TrustBits</span> set to
1778      <span class="snippet">["Web"]</span>.
1779    </dd>
1780
1781    <dt class="field">Type</dt>
1782    <dd>
1783      <span class="field_meta">
1784        (required if <span class="field">Remove</span> is
1785        <span class="value">false</span>, otherwise ignored)
1786        <span class="type">string</span>
1787      </span>
1788      <span class="rule">
1789        <span class="rule_id"></span>
1790        Allowed values are <span class="value">Client</span>,
1791        <span class="value">Server</span>, and
1792        <span class="value">Authority</span>.
1793      </span>
1794      <span class="value">Client</span> indicates the certificate is for
1795      identifying the user or device over HTTPS or for
1796      VPN/802.1X. <span class="value">Server</span> indicates the certificate
1797      identifies an HTTPS or VPN/802.1X peer.
1798      <span class="value">Authority</span> indicates the certificate is a
1799      certificate authority and any certificates it issues should be
1800      trusted. Note that if <span class="field">Type</span> disagrees with the
1801      x509 v3 basic constraints or key usage attributes, the
1802      <span class="field">Type</span> field should be honored.
1803    </dd>
1804
1805    <dt class="field">X509</dt>
1806    <dd>
1807      <span class="field_meta">
1808        (required if <span class="field">Type</span> is
1809        <span class="value">Server</span> or
1810        <span class="value">Authority</span>, otherwise ignored)
1811        <span class="type">string</span>
1812      </span> For certificate
1813      without private keys, this is the X509 certificate in PEM format.
1814    </dd>
1815  </dl>
1816
1817  <p>
1818    The passphrase of the PKCS#12 encoding must be empty. Encryption of key data
1819    should be handled at the level of the entire file, or the transport of the
1820    file.
1821  </p>
1822
1823  <p>
1824    If a global-scoped network connection refers to a user-scoped certificate,
1825    results are undefined, so this configuration should be prohibited by the
1826    configuration editor.
1827  </p>
1828</section>
1829
1830</section>
1831
1832<section>
1833  <h1>Encrypted Configuration</h1>
1834  <p>
1835    We assume that when this format is imported as part of policy that
1836    file-level encryption will not be necessary because the policy transport is
1837    already encrypted, but when it is imported as a standalone file, it is
1838    desirable to encrypt it. Since this file has private information (user
1839    names) and secrets (passphrases and private keys) in it, and we want it to
1840    be usable as a manual way to distribute network configuration, we must
1841    support encryption.
1842  </p>
1843
1844  <p>
1845    For this standalone export, the entire file will be encrypted in a symmetric
1846    fashion with a passphrase stretched using salted PBKDF2 using at least 20000
1847    iterations, and encrypted using an AES-256 CBC mode cipher with an SHA-1
1848    HMAC on the ciphertext.
1849  </p>
1850
1851  <p>
1852    An encrypted ONC file's top level object will have the
1853    <span class="type">EncryptedConfiguration</span>
1854    type. <span class="type">EncryptedConfiguration</span> type contains the
1855    following:
1856  </p>
1857
1858  <dl class="field_list">
1859    <dt class="field">Cipher</dt>
1860    <dd>
1861      <span class="field_meta">
1862        (required)
1863        <span class="type">string</span>
1864      </span>
1865      The type of cipher used. Currently only <span class="value">AES256</span>
1866      is supported.
1867    </dd>
1868
1869    <dt class="field">Ciphertext</dt>
1870    <dd>
1871      <span class="field_meta">
1872        (required)
1873        <span class="type">string</span>
1874      </span>
1875      The raw ciphertext of the encrypted ONC file, base64 encoded.
1876    </dd>
1877
1878    <dt class="field">HMAC</dt>
1879    <dd>
1880      <span class="field_meta">
1881        (required)
1882        <span class="type">string</span>
1883      </span>
1884      The HMAC for the ciphertext, base64 encoded.
1885    </dd>
1886
1887    <dt class="field">HMACMethod</dt>
1888    <dd>
1889      <span class="field_meta">
1890        (required)
1891        <span class="type">string</span>
1892      </span>
1893      The method used to compute the Hash-based Message Authentication Code
1894      (HMAC). Currently only <span class="value">SHA1</span> is supported.
1895    </dd>
1896
1897    <dt class="field">Salt</dt>
1898    <dd>
1899      <span class="field_meta">
1900        (required)
1901        <span class="type">string</span>
1902      </span>
1903      The salt value used during key stretching.
1904    </dd>
1905
1906    <dt class="field">Stretch</dt>
1907    <dd>
1908      <span class="field_meta">
1909        (required)
1910        <span class="type">string</span>
1911      </span>
1912      The key stretching algorithm used. Currently
1913      only <span class="value">PBKDF2</span> is supported.
1914    </dd>
1915
1916    <dt class="field">Iterations</dt>
1917    <dd>
1918      <span class="field_meta">
1919        (required)
1920        <span class="type">integer</span>
1921      </span>
1922      The number of iterations to use during key stretching.
1923    </dd>
1924
1925    <dt class="field">IV</dt>
1926    <dd>
1927      <span class="field_meta">
1928        (required)
1929        <span class="type">string</span>
1930      </span>
1931      The initial vector (IV) used for Cyclic Block Cipher (CBC) mode, base64
1932      encoded.
1933    </dd>
1934
1935    <dt class="field">Type</dt>
1936    <dd>
1937      <span class="field_meta">
1938        (required)
1939        <span class="type">string</span>
1940      </span>
1941      The type of the ONC file, which must be set
1942      to <span class="value">EncryptedConfiguration</span>.
1943    </dd>
1944  </dl>
1945
1946  <p class="rule">
1947    <span class="rule_id"></span>
1948    When decrypted, the ciphertext must contain a JSON object of
1949    type <span class="type">UnencryptedConfiguration</span>.
1950  </p>
1951</section>
1952
1953<section>
1954  <h1>String Expansions</h1>
1955  <p>
1956    The values of some fields, such
1957    as <span class="field">WiFi.EAP.Identity</span>
1958    and <span class="field">VPN.*.Username</span>, are subject to string
1959    expansions. These allow one ONC to have basic user-specific variations.
1960  </p>
1961
1962  <p>
1963    The expansions are:
1964  </p>
1965
1966  <ul>
1967    <li>
1968      ${LOGIN_ID} - expands to the email address of the user, but before the
1969      '@'.
1970    </li>
1971    <li>
1972      ${LOGIN_EMAIL} - expands to the email address of the user.
1973    </li>
1974  </ul>
1975
1976  <p>
1977    The following SED would properly handle resolution.
1978  </p>
1979
1980  <ul>
1981    <li>
1982      s/\$\{LOGIN_ID\}/bobquail$1/g
1983    </li>
1984    <li>
1985      s/\$\{LOGIN_EMAIL\}/bobquail@example.com$1/g
1986    </li>
1987  </ul>
1988
1989  <p>
1990    Example expansions, assuming the user was bobquail@example.com:
1991  </p>
1992
1993  <ul>
1994    <li>
1995      "${LOGIN_ID}" -> "bobquail"
1996    </li>
1997    <li>
1998      "${LOGIN_ID}@corp.example.com" -> "bobquail@corp.example.com"
1999    </li>
2000    <li>
2001      "${LOGIN_EMAIL}" -> "bobquail@example.com"
2002    </li>
2003    <li>
2004      "${LOGIN_ID}X" -> "bobquailX"
2005    </li>
2006    <li>
2007      "${LOGIN_IDX}" -> "${LOGIN_IDX}"
2008    </li>
2009    <li>
2010      "X${LOGIN_ID}" -> "Xbobquail"
2011    </li>
2012  </ul>
2013</section>
2014
2015<section>
2016  <h1>Detection</h1>
2017  <p>
2018    This format should be sent in files ending in the .onc extension. When
2019    transmitted with a MIME type, the MIME type should be
2020    application/x-onc. These two methods make detection of data to be handled in
2021    this format, especially when encryption is used and the payload itself is
2022    not detectable.
2023  </p>
2024</section>
2025
2026</section>
2027
2028<section>
2029  <h1>Alternatives considered</h1>
2030  <p>
2031    For the overall format, we considered XML, ASN.1, and protobufs. JSON and
2032    ASN.1 seem more widely known than protobufs. Since administrators are
2033    likely to want to tweak settings that will not exist in common UIs, we
2034    should provide a format that is well known and human modifiable. ASN.1 is
2035    not human modifiable. Protobufs formats are known by open source developers
2036    but seem less likely to be known by administrators. JSON serialization
2037    seems to have good support across languages.
2038  </p>
2039
2040  <p>
2041    We considered sending the exact connection manager configuration format of
2042    an open source connection manager like connman. There are a few issues
2043    here, for instance, referencing certificates by identifiers not tied to a
2044    particular PKCS#11 token, and tying to one OS's connection manager.
2045  </p>
2046</section>
2047
2048<section>
2049  <h1>Detection</h1>
2050  <p>
2051    This format should be sent in files ending in the .onc extension. When
2052    transmitted with a MIME type, the MIME type should be
2053    application/x-onc. These two methods make detection of data to be handled in
2054    this format, especially when encryption is used and the payload itself is
2055    not detectable.
2056  </p>
2057</section>
2058
2059<section>
2060  <h1>Mocks</h1>
2061
2062<section>
2063  <h1>Simple format example: PEAP/MSCHAPv2 network (per device)</h1>
2064
2065  <pre>
2066{
2067  "Type": "UnencryptedConfiguration",
2068  "NetworkConfigurations": [
2069    {
2070      "GUID": "{f2c17903-b0e1-8593-b3ca74f977236bd7}",
2071      "Name": "MySSID",
2072      "Type": "WiFi",
2073      "WiFi": {
2074        "AutoConnect": true,
2075        "EAP": {
2076          "Outer": "PEAP",
2077          "UseSystemCAs": true
2078        },
2079        "HiddenSSID": false,
2080        "SSID": "MySSID",
2081        "Security": "WPA-EAP"
2082      }
2083    }
2084  ],
2085  "Certificates": []
2086}
2087  </pre>
2088
2089  <p>
2090    Notice that in this case, we do not provide a username and password - we set
2091    SaveCredentials to <span class="value">false</span> so we are prompted every
2092    time. We could have passed in username and password - but such a file should
2093    be encrypted.
2094  </p>
2095</section>
2096
2097<section>
2098  <h1>Complex format example: TLS network with client certs (per device)</h1>
2099
2100  <pre>
2101{
2102  "Type": "UnencryptedConfiguration",
2103  "NetworkConfigurations": [
2104    {
2105      "GUID": "{00f79111-51e0-e6e0-76b3b55450d80a1b}",
2106      "Name": "MyTTLSNetwork",
2107      "Type": "WiFi",
2108      "WiFi": {
2109        "AutoConnect": false,
2110        "EAP": {
2111          "ClientCertPattern": {
2112            "EnrollmentURI": [
2113              "http://fetch-my-certificate.com"
2114            ],
2115            "IssuerCARef": [
2116              "{6ed8dce9-64c8-d568-d225d7e467e37828}"
2117            ]
2118          },
2119          "ClientCertType": "Pattern",
2120          "Outer": "EAP-TLS",
2121          "ServerCARef": "{6ed8dce9-64c8-d568-d225d7e467e37828}",
2122          "UseSystemCAs": true
2123        },
2124        "HiddenSSID": false,
2125        "SSID": "MyTTLSNetwork",
2126        "Security": "WPA-EAP"
2127      }
2128    }
2129  ],
2130  "Certificates": [
2131    {
2132      "GUID": "{6ed8dce9-64c8-d568-d225d7e467e37828}",
2133      "Type": "Authority",
2134      "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
2135    }
2136  ]
2137}
2138  </pre>
2139
2140  <p>
2141    In this example, the client certificate is not sent in the ONC format, but
2142    rather we send a certificate authority which we know will have signed the
2143    client certificate that is needed, along with an enrollment URI to navigate
2144    to if the required certificate is not yet available on the client.
2145  </p>
2146</section>
2147
2148<section>
2149  <h1>Simple format example: HTTPS Certificate Authority</h1>
2150
2151  <p>
2152    In this example a new certificate authority is added to be trusted for HTTPS
2153    server authentication.
2154  </p>
2155
2156  <pre>
2157{
2158  "Type": "UnencryptedConfiguration",
2159  "NetworkConfigurations": [],
2160  "Certificates": [
2161    {
2162      "GUID": "{f31f2110-9f5f-61a7-a8bd7c00b94237af}",
2163      "TrustBits": [ "Web" ],
2164      "Type": "Authority",
2165      "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
2166    }
2167  ]
2168}
2169  </pre>
2170</section>
2171
2172<section>
2173  <h1>Encrypted format example</h1>
2174
2175  <p>
2176In this example a simple wireless network is added, but the file is encrypted
2177with the passphrase "test0000".
2178  </p>
2179
2180  <pre>
2181{
2182  "Cipher": "AES256",
2183  "Ciphertext": "eQ9/r6v29/83M745aa0JllEj4lklt3Nfy4kPPvXgjBt1eTByxXB+FnsdvL6Uca5JBU5aROxfiol2+ZZOkxPmUNNIFZj70pkdqOGVe09ncf0aVBDsAa27veGIG8rG/VQTTbAo7d8QaxdNNbZvwQVkdsAXawzPCu7zSh4NF/hDnDbYjbN/JEm1NzvWgEjeOfqnnw3PnGUYCArIaRsKq9uD0a1NccU+16ZSzyDhX724JNrJjsuxohotk5YXsCK0lP7ZXuXj+nSR0aRIETSQ+eqGhrew2octLXq8cXK05s6ZuVAc0mFKPkntSI/fzBACuPi4ZaGd3YEYiKzNOgKJ+qEwgoE39xp0EXMZOZyjMOAtA6e1ZZDQGWG7vKdTLmLKNztHGrXvlZkyEf1RDs10YgkwwLgUhm0yBJ+eqbxO/RiBXz7O2/UVOkkkVcmeI6yh3BdL6HIYsMMygnZa5WRkd/2/EudoqEnjcqUyGsL+YUqV6KRTC0PH+z7zSwvFs2KygrSM7SIAZM2yiQHTQACkA/YCJDwACkkQOBFnRWTWiX0xmN55WMbgrs/wqJ4zGC9LgdAInOBlc3P+76+i7QLaNjMovQ==",
2184  "HMAC": "3ylRy5InlhVzFGakJ/9lvGSyVH0=",
2185  "HMACMethod": "SHA1",
2186  "Iterations": 20000,
2187  "IV": "hcm6OENfqG6C/TVO6p5a8g==",
2188  "Salt": "/3O73QadCzA=",
2189  "Stretch": "PBKDF2",
2190  "Type": "EncryptedConfiguration"
2191}
2192  </pre>
2193</section>
2194
2195</section>
2196
2197<section>
2198  <h1>Standalone editor</h1>
2199
2200  <p>
2201    The source code for a Chrome packaged app to generate ONC configuration can
2202    be found here:
2203    <a href="https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree">"https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree"</a>
2204  </p>
2205</section>
2206
2207<section>
2208  <h1>Internationalization and Localization</h1>
2209
2210  <p>
2211    UIs will need to have internationalization and localizations - the file
2212    format will remain in English.
2213  </p>
2214</section>
2215
2216<section>
2217  <h1>Security Considerations</h1>
2218
2219  <p>
2220    Data stored inside of open network configuration files is highly sensitive
2221    to users and enterprises. The file format itself provides adequate
2222    encryption options to allow standalone use-cases to be secure. For automatic
2223    updates sent by policy, the policy transport should be made secure. The file
2224    should not be stored unencrypted on disk as part of policy fetching and
2225    should be cleared from memory after use.
2226  </p>
2227</section>
2228
2229<section>
2230  <h1>Privacy Considerations</h1>
2231
2232  <p>
2233    Similarly to the security considerations, user names will be present in
2234    these files for certain kinds of connections, so any places where the file
2235    is transmitted or saved to disk should be secure. On client device, when
2236    user names for connections that are user-specific are persisted to disk,
2237    they should be stored in a location that is encrypted. Users can also opt in
2238    these cases to not save their user credentials in the config file and will
2239    instead be prompted when they are needed.
2240  </p>
2241</section>
2242</section>
2243</body>
2244</html>
2245