Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] The new signature on mobileconfig files

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] The new signature on mobileconfig files


Chronological Thread 
  • From: Hans Berggren <hansb AT kth.se>
  • To: Patrik Holmqvist <patrik.holmqvist AT su.se>
  • Cc: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] The new signature on mobileconfig files
  • Date: Tue, 23 Feb 2016 15:37:53 +0000
  • Accept-language: sv-SE, en-US

Hi Patrik,

When you say “stops working” do you mean the device won’t even try to connect
to eduroam? I just did a quick test on OS X (yosemite) with the old profile
by setting the date to a couple of days after march 7.
I get the “Unverified” message for the profile, but can still connect and
login to eduroam.

Hans

---
Hans Berggren
KTH
KTHLAN
100 44 Stockholm
Tel: +46 8 790 60 00
Email:
hansb AT kth.se

> On 23 feb 2016, at 16:24, Patrik Holmqvist
> <patrik.holmqvist AT SU.SE>
> wrote:
>
> There is no warning other than if you go in to the profile list you can see
> that it is "unconfimed" (if i translate the text in the screenshot).
> Then after 10 days it just stops working silently according to our tests.
>
> /Patrik
>
>
> -----Original Message-----
> From: Tomasz Wolniewicz
> [mailto:twoln AT umk.pl]
>
> Sent: den 23 februari 2016 16:08
> To: Patrik Holmqvist
> <patrik.holmqvist AT su.se>
> Cc:
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] The new signature on mobileconfig files
>
> Did you see any warnings or do they just break down silently?
> there seems little that can be done about this, evey certificate will
> expire, so some updating approach would have to be put in place Tomasz
>
>
>> On 23 Feb 2016, at 14:42, Patrik Holmqvist
>> <patrik.holmqvist AT su.se>
>> wrote:
>>
>> That is really unfortunate! We have done some tests here now on both OS X
>> and iOS based devices that indicates that every device configured with the
>> mobile.config files before today will stop working 10 days (2016-03-07)
>> after the signing certificate expires (2016-02-26).
>>
>> Our test method is based on setting the date to a date in the future
>> and see when it brakes, and it seems like 10 days after expiration is
>> the magic number (maybe this is some kind of grace-period?)
>>
>> This will have a major impact on our eduroam user base and I am guessing
>> that we are not the only ones here that will suffer from this.
>>
>> Regards
>> Patrik
>>
>> -----Original Message-----
>> From: Tomasz Wolniewicz
>> [mailto:twoln AT umk.pl]
>> Sent: den 23 februari 2016 10:55
>> To: Patrik Holmqvist
>> <patrik.holmqvist AT su.se>;
>>
>> cat-users AT lists.geant.org
>> Subject: Re: [[cat-users]] The new signature on mobileconfig files
>>
>> Frankly, I am not sure. I have a feeling that old, already installed
>> profiles may suddenly become "untrusted" the moment that the old signing
>> cert expires. Not sure how the devices will behave if and when this
>> happens.
>>
>> in EAPlab we did think of preparing personal certificates expiring in 24
>> hours to be able to test how supplicants for EAP-TLS will behave, but we
>> have not thought of doing a similar thing for mobileconfig files.
>>
>> For Windows you can use timestamping which keeps the exe valid even after
>> the signing cert expires (if you do not use timestamping then the exe will
>> start rising alerts). For mobilecofig files I did not find the option to
>> use timestamping in a similar way.
>>
>> Tomasz
>>
>>
>> W dniu 2016-02-23 o 10:38, Patrik Holmqvist pisze:
>>> Hi Tomasz
>>>
>>> Just to be clear, this will not impact any already installed profiles on
>>> devices with the "old" file?
>>> Just people that have the old file stored on their device and try to
>>> "install" it after the 26th of February?
>>>
>>> --
>>> Regards Patrik Holmqvist
>>> Stockholm university
>>>
>>> -----Original Message-----
>>> From: Tomasz Wolniewicz
>>> [mailto:twoln AT umk.pl]
>>> Sent: den 22 februari 2016 15:14
>>> To:
>>> cat-users AT lists.geant.org
>>> Subject: [[cat-users]] The new signature on mobileconfig files
>>>
>>> Hi,
>>> we have just turned on the new signing module on CAT mobileconfig files.
>>> It uses the same hardware-token based certificate as the Windows
>>> installers.
>>> All cached mobileconfig files have been deleted, the new ones are being
>>> crated as users are accessing them.
>>>
>>> If people are redistributing files previously downloaded from CAT, then
>>> please download new copies. The old signing certificate is going to
>>> expire on the 26th of February and the old profiles will become
>>> "untrusted".
>>>
>>> On the CAT starting page there is now updated information about the
>>> profile signer. TERENA has been replaced with GÉANT.
>>>
>>> Yours
>>> Tomasz
>>>
>>
>> --
>> Tomasz Wolniewicz
>>
>> twoln AT umk.pl
>> http://www.home.umk.pl/~twoln
>>
>> Uczelniane Centrum Informatyczne Information&Communication Technology
>> Centre
>> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
>> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
>> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.:
>> +48-693-032-576
>>
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
> <eduroam-mac.png>



Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page