The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

we've discussed the issue of multiple CAs in profiles and how this can
work with Android with the main developer of the app.

Unfortunately Android is not overly capable when it comes to CA handling
for Wi-Fi and we are left with only few choices.

First of all, as a CAT admin you are currently spoiled with a feature we
call "CA rollover support"; you can upload more than one /root/ CA,
we'll install both into the supplicant, and you can smoothly exchange
the server certificate from old to new CA without user interaction.

On Android, it does not appear to be possible to support this for two
reasons.

One, the Wi-Fi settings only allow to specify at most one CA to trust.
So if the server cert transitions from the old to the new CA, user
interaction is required to flip the CA in the drop-down list.

Two, it is not possible to install more than one CA into the device
without strange user interaction in the first place (mean tricks might
work, but this needs to be explored). The reason is that one doesn't
install a CA into a device store and then links the Wi-Fi profile to the
entry in the store (that's how sane devices do it ;-) ) but instead one
installs the Wi-Fi profile with the trusted CA certificate; the API then
takes care of storing the CA in the Wi-Fi store on its own. And since
one Wi-Fi profile can only specify one CA - there is no access to the store.

It may be possible to feed a certificate directly into the store, but
that triggers strange user interactions (choosing a name for the CA in
the store), but it still wouldn't allow any automatic rollover.
Explaining this in UI sounds nightmarish to me.

The dirty trick might be to install a second Wi-Fi profile with the
second CA and a random/useless SSID, just so that the CA cert eventually
lands in the store without user interaction - but that's not nice.

So, all in all - it looks like we simply won't support rollover
scenarios on Android. Unless the list generates enough pressure to make
us consider those way suboptimal choices above.

The second thing about certificates is that we have trouble installing
intermediate CA certificates into the store because - we don't have
direct access to the store; same as above.

We can easily fix the app to only install the first root CA it finds,
ignoring intermediates, ignoring further root CAs.

That would work for the majority of cases. As an admin, you would need
to be aware though that if you indeed have two or more *root* CAs in
your profile, it may be a bit undeterministic which one gets installed
in Androids. A separate profile for Android users where you only upload
the currently active root CA is a way to fix that while you are in
rollover mode.

So... I'm open for suggestions and comments. Just for the record: a bug
report with Google is open for a ong time regarding support for more
than one CA. Feel free to vote for it:
https://code.google.com/p/android/issues/detail?id=73680&q=multiple%20CA%20Wi-Fi&colspec=ID%20Type%20Status%20Owner%20Summary%20Stars

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature