The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

> I asked around for the best way to have a smooth user experience in
> migrating from one CA to the other and someone told me to install both
> CA chains so when I change the certificate of the radius server next
> year many users will already have the new chain in place.
> 
> Well, this will not work at least with the Android app: when using the
> profile I see only the last CA in the profile details. This breaks the
> current connection.
> 
> At this point I have two questions:
> 1. Is there any other way to migrate smoothly? Is cross-signing
> possible/suggestable?
> 2. How many other installers are not designed to handle multiple CA's?

In the scope of CAT: Android is our only device which does not support
multiple root CAs. And it's not our limitation, it's Android API not
allowing for more than one trust anchor.

I don't know anything about cross-signing. There are some dark shady
corners of PKI which I didn't dare look into yet :-)

There are also more niche devices which are not served by CAT right now,
and I don't know every device's capabilities in that respect.

So, expect some problems. I believe CAT already takes the bulk of those
problems away with provisioning multiple roots on most of the major
platforms, but there is definitely a residue that needs to be taken care
of somehow else.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature