The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Did you see any warnings or do they just break down silently?
there seems little that can be done about this, evey certificate will expire, 
so some updating approach would have to be put in place  
Tomasz


> On 23 Feb 2016, at 14:42, Patrik Holmqvist 
> <patrik.holmqvist AT su.se>
>  wrote:
> 
> That is really unfortunate! We have done some tests here now on both OS X 
> and iOS based devices that indicates that every device configured with the 
> mobile.config files before today will stop working 10 days (2016-03-07) 
> after the signing certificate expires (2016-02-26).
> 
> Our test method is based on setting the date to a date in the future and 
> see when it brakes, and it seems like 10 days after expiration is the magic 
> number (maybe this is some kind of grace-period?)
> 
> This will have a major impact on our eduroam user base and I am guessing 
> that we are not the only ones here that will suffer from this. 
> 
> Regards
> Patrik
> 
> -----Original Message-----
> From: Tomasz Wolniewicz 
> [mailto:twoln AT umk.pl]
>  
> Sent: den 23 februari 2016 10:55
> To: Patrik Holmqvist 
> <patrik.holmqvist AT su.se>;
>  
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] The new signature on mobileconfig files
> 
> Frankly, I am not sure. I have a feeling that old, already installed 
> profiles may suddenly become "untrusted" the moment that the old signing 
> cert expires. Not sure how the devices will behave if and when this happens.
> 
> in EAPlab we did think of preparing personal certificates expiring in 24 
> hours to be able to test how supplicants for EAP-TLS will behave, but we 
> have not thought of doing a similar thing for mobileconfig files.
> 
> For Windows you can use timestamping which keeps the exe valid even after 
> the signing cert expires (if you do not use timestamping then the exe will 
> start rising alerts). For mobilecofig files I did not find the option to 
> use timestamping in a similar way.
> 
> Tomasz
> 
> 
> W dniu 2016-02-23 o 10:38, Patrik Holmqvist pisze:
>> Hi Tomasz
>> 
>> Just to be clear, this will not impact any already installed profiles on 
>> devices with the "old" file? 
>> Just people that have the old file stored on their device and try to 
>> "install" it after the 26th of February?
>> 
>> --
>> Regards Patrik Holmqvist
>> Stockholm university
>> 
>> -----Original Message-----
>> From: Tomasz Wolniewicz 
>> [mailto:twoln AT umk.pl]
>> Sent: den 22 februari 2016 15:14
>> To: 
>> cat-users AT lists.geant.org
>> Subject: [[cat-users]] The new signature on mobileconfig files
>> 
>> Hi,
>>   we have just turned on the new signing module on CAT mobileconfig files. 
>> It uses the same hardware-token based certificate as the Windows 
>> installers.
>> All cached mobileconfig files have been deleted, the new ones are being 
>> crated as users are accessing them.
>> 
>> If people are redistributing files previously downloaded from CAT, then 
>> please download new copies. The old signing certificate is going to expire 
>> on the 26th of February and the old profiles will become "untrusted".
>> 
>> On the CAT starting page there is now updated information about the 
>> profile signer. TERENA has been replaced with GÉANT.
>> 
>> Yours
>> Tomasz
>> 
> 
> -- 
> Tomasz Wolniewicz    
>          
> twoln AT umk.pl
>         http://www.home.umk.pl/~twoln
> 
> Uczelniane Centrum Informatyczne   Information&Communication Technology 
> Centre
> Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
> pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
> tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: 
> +48-693-032-576
> 
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users