The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello,

> For us, in one example a person moves from an institution that is also
> an eduroam IdP, to our campus-- either as a student or faculty or staff
> member.  Their old credentials are invalid and they use CAT to install
> our profile.  Are you saying that the old profile will not be removed
> because it has a different UUID?

Well, the fact that he gets another credential from doesn't
automatically mean his old credential goes away - they could both be
valid; and it would be undue to generously delete it from our side.

The UUID is calculated based on five inputs

- a constant prefix
- the consortium name ("eduroam")
- the country idenfifier (e.g. "US")
- the institution name (in the user's locale at download time)
- the profile name (in the user's locale at download time)

So, different IdPs get a different UUID. And yes, then macOS / iOS
install both.

I don't think there's a feature to request or a bug to fix in that case.
It's allowed for a human to have more than one eduroam account, and we
don't know if the previous one expired or not, and if it maybe has a
reason for continued existence. So there's no deletion action to take
just because another IdP's credential is added.

> In another case, we change a configuration in our CAT profile because we
> need to modify our trusted root CA / intermediate CA / server CA.  Does
> this then generate a new UUID and therefore would not remove the old
> profile if re-installed?

No, as you can see from the above explanation, that condition keeps the
UUID (unless you also change inst name or profile name at the same time).

There is the remote possibility that you have inst or profile names in
different languages, and that a user installed the profile once in one
locale and once in another. Can we assume that this is not the situation
we are looking at?

> I believe I've seen what UDel reports regarding macOS and iOS.  I can do
> some testing and provide more info.

Please do test against the CA change. This is meant to maintain the same
PayloadUUID and overwrite old settings. If it does not, then we're
looking at bugland.

It might help to send me two profiles off-list, old vs. new.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature