The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Patrik Holmqvist <patrik.holmqvist AT su.se>]

That is really unfortunate! We have done some tests here now on both OS X and 
iOS based devices that indicates that every device configured with the 
mobile.config files before today will stop working 10 days (2016-03-07) after 
the signing certificate expires (2016-02-26).

Our test method is based on setting the date to a date in the future and see 
when it brakes, and it seems like 10 days after expiration is the magic 
number (maybe this is some kind of grace-period?)

This will have a major impact on our eduroam user base and I am guessing that 
we are not the only ones here that will suffer from this. 

Regards
Patrik

-----Original Message-----
From: Tomasz Wolniewicz 
[mailto:twoln AT umk.pl]
 
Sent: den 23 februari 2016 10:55
To: Patrik Holmqvist 
<patrik.holmqvist AT su.se>;
 
cat-users AT lists.geant.org
Subject: Re: [[cat-users]] The new signature on mobileconfig files

Frankly, I am not sure. I have a feeling that old, already installed profiles 
may suddenly become "untrusted" the moment that the old signing cert expires. 
Not sure how the devices will behave if and when this happens.

in EAPlab we did think of preparing personal certificates expiring in 24 
hours to be able to test how supplicants for EAP-TLS will behave, but we have 
not thought of doing a similar thing for mobileconfig files.

For Windows you can use timestamping which keeps the exe valid even after the 
signing cert expires (if you do not use timestamping then the exe will start 
rising alerts). For mobilecofig files I did not find the option to use 
timestamping in a similar way.

Tomasz


W dniu 2016-02-23 o 10:38, Patrik Holmqvist pisze:
> Hi Tomasz
>
> Just to be clear, this will not impact any already installed profiles on 
> devices with the "old" file? 
> Just people that have the old file stored on their device and try to 
> "install" it after the 26th of February?
>
> --
> Regards Patrik Holmqvist
> Stockholm university
>
> -----Original Message-----
> From: Tomasz Wolniewicz 
> [mailto:twoln AT umk.pl]
> Sent: den 22 februari 2016 15:14
> To: 
> cat-users AT lists.geant.org
> Subject: [[cat-users]] The new signature on mobileconfig files
>
> Hi,
>    we have just turned on the new signing module on CAT mobileconfig files. 
> It uses the same hardware-token based certificate as the Windows installers.
> All cached mobileconfig files have been deleted, the new ones are being 
> crated as users are accessing them.
>
> If people are redistributing files previously downloaded from CAT, then 
> please download new copies. The old signing certificate is going to expire 
> on the 26th of February and the old profiles will become "untrusted".
>
> On the CAT starting page there is now updated information about the profile 
> signer. TERENA has been replaced with GÉANT.
>
> Yours
> Tomasz
>

-- 
Tomasz Wolniewicz    
          
twoln AT umk.pl
        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576