The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Hans Berggren <hansb AT kth.se>]

Hi Patrik,

When you say “stops working” do you mean the device won’t even try to connect 
to eduroam? I just did a quick test on OS X (yosemite) with the old profile 
by setting the date to a couple of days after march 7.
I get the “Unverified” message for the profile, but can still connect and 
login to eduroam.

Hans

---
Hans Berggren
KTH
KTHLAN
100 44 Stockholm
Tel: +46 8 790 60 00
Email: 
hansb AT kth.se

> On 23 feb 2016, at 16:24, Patrik Holmqvist 
> <patrik.holmqvist AT SU.SE>
>  wrote:
> 
> There is no warning other than if you go in to the profile list you can see 
> that it is "unconfimed" (if i translate the text in the screenshot).
> Then after 10 days it just stops working silently according to our tests.
> 
> /Patrik
> 
> 
> -----Original Message-----
> From: Tomasz Wolniewicz 
> [mailto:twoln AT umk.pl]
>  
> Sent: den 23 februari 2016 16:08
> To: Patrik Holmqvist 
> <patrik.holmqvist AT su.se>
> Cc: 
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] The new signature on mobileconfig files
> 
> Did you see any warnings or do they just break down silently?
> there seems little that can be done about this, evey certificate will 
> expire, so some updating approach would have to be put in place Tomasz
> 
> 
>> On 23 Feb 2016, at 14:42, Patrik Holmqvist 
>> <patrik.holmqvist AT su.se>
>>  wrote:
>> 
>> That is really unfortunate! We have done some tests here now on both OS X 
>> and iOS based devices that indicates that every device configured with the 
>> mobile.config files before today will stop working 10 days (2016-03-07) 
>> after the signing certificate expires (2016-02-26).
>> 
>> Our test method is based on setting the date to a date in the future 
>> and see when it brakes, and it seems like 10 days after expiration is 
>> the magic number (maybe this is some kind of grace-period?)
>> 
>> This will have a major impact on our eduroam user base and I am guessing 
>> that we are not the only ones here that will suffer from this. 
>> 
>> Regards
>> Patrik
>> 
>> -----Original Message-----
>> From: Tomasz Wolniewicz 
>> [mailto:twoln AT umk.pl]
>> Sent: den 23 februari 2016 10:55
>> To: Patrik Holmqvist 
>> <patrik.holmqvist AT su.se>;
>>  
>> cat-users AT lists.geant.org
>> Subject: Re: [[cat-users]] The new signature on mobileconfig files
>> 
>> Frankly, I am not sure. I have a feeling that old, already installed 
>> profiles may suddenly become "untrusted" the moment that the old signing 
>> cert expires. Not sure how the devices will behave if and when this 
>> happens.
>> 
>> in EAPlab we did think of preparing personal certificates expiring in 24 
>> hours to be able to test how supplicants for EAP-TLS will behave, but we 
>> have not thought of doing a similar thing for mobileconfig files.
>> 
>> For Windows you can use timestamping which keeps the exe valid even after 
>> the signing cert expires (if you do not use timestamping then the exe will 
>> start rising alerts). For mobilecofig files I did not find the option to 
>> use timestamping in a similar way.
>> 
>> Tomasz
>> 
>> 
>> W dniu 2016-02-23 o 10:38, Patrik Holmqvist pisze:
>>> Hi Tomasz
>>> 
>>> Just to be clear, this will not impact any already installed profiles on 
>>> devices with the "old" file? 
>>> Just people that have the old file stored on their device and try to 
>>> "install" it after the 26th of February?
>>> 
>>> --
>>> Regards Patrik Holmqvist
>>> Stockholm university
>>> 
>>> -----Original Message-----
>>> From: Tomasz Wolniewicz 
>>> [mailto:twoln AT umk.pl]
>>> Sent: den 22 februari 2016 15:14
>>> To: 
>>> cat-users AT lists.geant.org
>>> Subject: [[cat-users]] The new signature on mobileconfig files
>>> 
>>> Hi,
>>>  we have just turned on the new signing module on CAT mobileconfig files. 
>>> It uses the same hardware-token based certificate as the Windows 
>>> installers.
>>> All cached mobileconfig files have been deleted, the new ones are being 
>>> crated as users are accessing them.
>>> 
>>> If people are redistributing files previously downloaded from CAT, then 
>>> please download new copies. The old signing certificate is going to 
>>> expire on the 26th of February and the old profiles will become 
>>> "untrusted".
>>> 
>>> On the CAT starting page there is now updated information about the 
>>> profile signer. TERENA has been replaced with GÉANT.
>>> 
>>> Yours
>>> Tomasz
>>> 
>> 
>> -- 
>> Tomasz Wolniewicz    
>>         
>> twoln AT umk.pl
>>         http://www.home.umk.pl/~twoln
>> 
>> Uczelniane Centrum Informatyczne   Information&Communication Technology 
>> Centre
>> Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
>> pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
>> tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: 
>> +48-693-032-576
>> 
>> To unsubscribe, send this message: 
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link: 
>> https://lists.geant.org/sympa/sigrequest/cat-users
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users
> <eduroam-mac.png>

Attachment: smime.p7s
Description: S/MIME cryptographic signature