cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Martin Pauly <pauly AT hrz.uni-marburg.de>, cat-users AT lists.geant.org
- Cc: eduroam AT dfn.de
- Subject: Re: [[cat-users]] Release of CAT-2.0.0-beta1
- Date: Mon, 27 Aug 2018 15:12:57 +0200
- Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
also to you a big Thank You for trying this out!
>> So the time to test this in a pre-production stage is NOW :-)
> a quick check on Windows 10 shows that the basics do work.
>
> But what about the new features:
>
> 1. Code/Profile Signing
> Windows 10 complained again that this program lacks a recognized
> publisher cert,
> I had to click "Trotzdem ausführen" (Execute despite of lacking cert).
> AFAIR, code signing had been announced as one of the upcoming CAT 2.0
> improvements
> on the German mailing list.
The production instance uses a Extened Validation Code Signing
certificate which we are constantly monitoring for expiry time, signing
hardware status etc.
On the test instance right now, you are warned because we used an old
non-EV code signing certificate (those trigger the Windows warnings,
non-EV is not good enough these days) which on top of being non-EV is
also expired :-(
My apologies; this is "only" a deployment issue in the test environment.
The production environment does not face this same issue.
If you want to see the real signing certs and the Windows behaviour with
those, I can only suggest you download an installer from another
institution on the current production site (cat.eduroam.org) and launch
it on your system. This will be the behaviour you get once we deploy the
new version in production.
> 2. Built-In sanity check of username
> Me and others had a bit of trouble getting the username right during
> the Windows install. No big deal, but Tomasz Wolniewicz wrote:
>> in eduroam CAT 2.0 we will have an option to either just nag the user
>> about missing realm or even to pre-fill the realm with a configured
>> string.
>
> Stefan Winter wrote today:
>> The upcoming version 2.0 allows the administrator to decide if
>> a) such a hint should be provided to the user (input box is prefilled
>> with realm ending) and/or
>> b) the installer should actively verify the presence of a realm name in
>> the input, and refuse to continue installation if not.
>>
>> Both of these are then checkboxes on the Profile level.
>
> So for 2., we will have to edit our profile first,right?
Yes, those are checkboxes you have to set as an admin. They are by
default off (which is then producing the identical bahviour that version
1.1 did).
> (presumably not yet productive for German admins)
Yes and no. Your data has been imported and you can edit your profile
*if* your eduGAIN/DFN-AAI/social account is linked to your institution.
During the merge of the German and World datasets, the table that saves
the "ownership" data of which person administers which institution has
been omitted, for two reasons:
- the user identifiers are personal data, and there was no sufficient
argument to transfer this data
- the data is actually useless because eduGAIN/DFN-AAI are
privacy-preserving by default themselves: even when you log into both
the old and the new website with the same actual identifiers, the
websites only get to see a per-website opaque user identifier. I.e. it
is not possible to recognise "you" across the sites, and the mapping fails.
So, as of today, the German IdPs in the test system have no owners. This
is known also to the personnel at DFN.
That being said, DFN personnel of course has NRO-level access to CAT,
also on this test site, and can send institution admnistrator
invitations to re-establish the mapping. You will have to contact DFN to
get that done for you, and then you can edit your profile.
Note that it *will* (well, "should" - we haven't ever done it but
nothing seems to prevent it) be possible to preserve the ownership
mapping between test and prod later on; they are both sub-services under
one SAML SP (eduroam Service Provider Proxy) so if DFN enables your
access to the system now in the test phase you shouldn't need to re-do
that again later on during production time.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0xC0DE6A358A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Release of CAT-2.0.0-beta1, Stefan Winter, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Lukas Wringer, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Stefan Winter, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Steffen Klemer, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Stefan Winter, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Steffen Klemer, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Stefan Winter, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Martin Pauly, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Stefan Winter, 08/27/2018
- Re: [[cat-users]] Release of CAT-2.0.0-beta1, Lukas Wringer, 08/27/2018
Archive powered by MHonArc 2.6.19.