cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Patrik Holmqvist <patrik.holmqvist AT su.se>
- To: Hans Berggren <hansb AT kth.se>
- Cc: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: RE: [[cat-users]] The new signature on mobileconfig files
- Date: Tue, 23 Feb 2016 18:26:43 +0000
- Accept-language: sv-SE, en-US
Hi
We have probably overlooked one thing in our testing and therefore caused
some confusion here ...
We are in the middle of a process of changing our radius certificate and we
are planning on doing the change 2016-03-01 and have therefore been pushing
profiles with both the old and the new CA's pinned.
The most probable reason why our profile stopped working when setting the
date to 2016-03-07 is that our current radius certificate expires that day.
We have no real way of confirming this 100% but it sounds a lot more likely
than some strange grace period of 10 days...
So there is probably no reason to worry and I am sorry for the confusion
caused. But at least now we know more than we did before :)
/Patrik
-----Original Message-----
From: Hans Berggren
[mailto:hansb AT kth.se]
Sent: den 23 februari 2016 16:38
To: Patrik Holmqvist
<patrik.holmqvist AT su.se>
Cc: Tomasz Wolniewicz
<twoln AT umk.pl>;
cat-users AT lists.geant.org
Subject: Re: [[cat-users]] The new signature on mobileconfig files
Hi Patrik,
When you say “stops working” do you mean the device won’t even try to connect
to eduroam? I just did a quick test on OS X (yosemite) with the old profile
by setting the date to a couple of days after march 7.
I get the “Unverified” message for the profile, but can still connect and
login to eduroam.
Hans
---
Hans Berggren
KTH
KTHLAN
100 44 Stockholm
Tel: +46 8 790 60 00
Email:
hansb AT kth.se
> On 23 feb 2016, at 16:24, Patrik Holmqvist
> <patrik.holmqvist AT SU.SE>
> wrote:
>
> There is no warning other than if you go in to the profile list you can see
> that it is "unconfimed" (if i translate the text in the screenshot).
> Then after 10 days it just stops working silently according to our tests.
>
> /Patrik
>
>
> -----Original Message-----
> From: Tomasz Wolniewicz
> [mailto:twoln AT umk.pl]
>
> Sent: den 23 februari 2016 16:08
> To: Patrik Holmqvist
> <patrik.holmqvist AT su.se>
> Cc:
> cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] The new signature on mobileconfig files
>
> Did you see any warnings or do they just break down silently?
> there seems little that can be done about this, evey certificate will
> expire, so some updating approach would have to be put in place Tomasz
>
>
>> On 23 Feb 2016, at 14:42, Patrik Holmqvist
>> <patrik.holmqvist AT su.se>
>> wrote:
>>
>> That is really unfortunate! We have done some tests here now on both OS X
>> and iOS based devices that indicates that every device configured with the
>> mobile.config files before today will stop working 10 days (2016-03-07)
>> after the signing certificate expires (2016-02-26).
>>
>> Our test method is based on setting the date to a date in the future
>> and see when it brakes, and it seems like 10 days after expiration is
>> the magic number (maybe this is some kind of grace-period?)
>>
>> This will have a major impact on our eduroam user base and I am guessing
>> that we are not the only ones here that will suffer from this.
>>
>> Regards
>> Patrik
>>
>> -----Original Message-----
>> From: Tomasz Wolniewicz
>> [mailto:twoln AT umk.pl]
>> Sent: den 23 februari 2016 10:55
>> To: Patrik Holmqvist
>> <patrik.holmqvist AT su.se>;
>>
>> cat-users AT lists.geant.org
>> Subject: Re: [[cat-users]] The new signature on mobileconfig files
>>
>> Frankly, I am not sure. I have a feeling that old, already installed
>> profiles may suddenly become "untrusted" the moment that the old signing
>> cert expires. Not sure how the devices will behave if and when this
>> happens.
>>
>> in EAPlab we did think of preparing personal certificates expiring in 24
>> hours to be able to test how supplicants for EAP-TLS will behave, but we
>> have not thought of doing a similar thing for mobileconfig files.
>>
>> For Windows you can use timestamping which keeps the exe valid even after
>> the signing cert expires (if you do not use timestamping then the exe will
>> start rising alerts). For mobilecofig files I did not find the option to
>> use timestamping in a similar way.
>>
>> Tomasz
>>
>>
>> W dniu 2016-02-23 o 10:38, Patrik Holmqvist pisze:
>>> Hi Tomasz
>>>
>>> Just to be clear, this will not impact any already installed profiles on
>>> devices with the "old" file?
>>> Just people that have the old file stored on their device and try to
>>> "install" it after the 26th of February?
>>>
>>> --
>>> Regards Patrik Holmqvist
>>> Stockholm university
>>>
>>> -----Original Message-----
>>> From: Tomasz Wolniewicz
>>> [mailto:twoln AT umk.pl]
>>> Sent: den 22 februari 2016 15:14
>>> To:
>>> cat-users AT lists.geant.org
>>> Subject: [[cat-users]] The new signature on mobileconfig files
>>>
>>> Hi,
>>> we have just turned on the new signing module on CAT mobileconfig files.
>>> It uses the same hardware-token based certificate as the Windows
>>> installers.
>>> All cached mobileconfig files have been deleted, the new ones are being
>>> crated as users are accessing them.
>>>
>>> If people are redistributing files previously downloaded from CAT, then
>>> please download new copies. The old signing certificate is going to
>>> expire on the 26th of February and the old profiles will become
>>> "untrusted".
>>>
>>> On the CAT starting page there is now updated information about the
>>> profile signer. TERENA has been replaced with GÉANT.
>>>
>>> Yours
>>> Tomasz
>>>
>>
>> --
>> Tomasz Wolniewicz
>>
>> twoln AT umk.pl
>> http://www.home.umk.pl/~twoln
>>
>> Uczelniane Centrum Informatyczne Information&Communication Technology
>> Centre
>> Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
>> pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
>> tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.:
>> +48-693-032-576
>>
>> To unsubscribe, send this message:
>> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
>> Or use the following link:
>> https://lists.geant.org/sympa/sigrequest/cat-users
> To unsubscribe, send this message:
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link:
> https://lists.geant.org/sympa/sigrequest/cat-users
> <eduroam-mac.png>
- [[cat-users]] The new signature on mobileconfig files, Tomasz Wolniewicz, 02/22/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Patrik Holmqvist, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Tomasz Wolniewicz, 02/23/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Patrik Holmqvist, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Tomasz Wolniewicz, 02/23/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Patrik Holmqvist, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Hans Berggren, 02/23/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Patrik Holmqvist, 02/23/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Alan Buxey, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Tomasz Wolniewicz, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, A . L . M . Buxey, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Tomasz Wolniewicz, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Hans Berggren, 02/23/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Patrik Holmqvist, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Tomasz Wolniewicz, 02/23/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Patrik Holmqvist, 02/23/2016
- Re: [[cat-users]] The new signature on mobileconfig files, Tomasz Wolniewicz, 02/23/2016
- RE: [[cat-users]] The new signature on mobileconfig files, Patrik Holmqvist, 02/23/2016
Archive powered by MHonArc 2.6.19.