cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Paul Dekkers <paul.dekkers AT surf.nl>
- To: Andrea Delise <delise AT sissa.it>
- Cc: <patrick.oberli AT ost.ch>, <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] Multiple CA - Android
- Date: Mon, 7 Dec 2020 13:07:38 +0100
Hi Andrea,
> On 7 Dec 2020, at 12:03, Andrea Delise <delise AT sissa.it> wrote:
>
> Hi Paul and Patrick, thanks for your replies.
>
> On 07/12/20 09:04, Paul Dekkers wrote:
>
>> I had a hypothesis that the error showed up because of installing a
>> private CA; I see your current CA is from DigiCert: what are you planning
>> to replace it with? If that’s a self-signed CA, my hypothesis could still
>> stand. If it’s Sectigo instead of DigiCert, it could still be that my
>> unlock pattern is perceived stronger by Android than a pin-code (with a
>> particular length: related to the requirement for Exchange servers too).
>
> I have managed to get a test wifi with the new certificate. The CA I was
> adding to Digicert was Sectigo. But the testing device was kindly provided
> by a colleague, so I couldn't perform many tests. And I couldn't play much
> with its security configuration, sorry... The device (a Samsung A40) was
> using a pattern lock, I tried to switch it to pin lock (I do not remember
> the pin lenght).
>
> I could get my hands on another Samsung Android device in a couple of days,
> in case I'll let you know.
Ok. It was mostly about reproducing things; I may just have a different
Android build on my S10, but I was unable to see the issues the last two
reports stumbled upon!
>
>> I’m also very curious if on this particular device and profile the
>> “geteduroam” App works for you. (The plan is to suggest geteduroam for
>> Android 8+ instead of the existing eduroam CAT app, and it may or may not
>> solve the problem: but that’s important to know.) We paid attention to,
>> and did test, multiple CAs. And it consumes the eduroam CAT profiles just
>> fine.
>
> Do you refer to the Samsung lock problem, or to the multiple CA
> installation? Is the geteduroam app available for all eduroam institutions?
It is! It reads all institutions and profiles from eduroam CAT (it caches
this, so there is a bit of a delay). So any profile in CAT should be usable
in geteduroam.
We thought there should not be an(other) eduroam App in the stores if it’s
not generic and for everyone to use. (There are already too many that target
just a few users or a single organization.) So you can just try geteduroam
and see how it works for you.
We test geteduroam with a few scenario’s and devices, and one of those
scenario’s is multiple CAs. FWIW; there is also a scenario where geteduroam
creates an eduroam-specific (pseudo) account for you, but that’s not the way
the majority of the users will (currently) use it.
> For the multiple CA, that is my main concern now, my fear is that CAT
> installs the correct CA file with both CA, but some Android devices refuse
> to look further the first CA in the file. My main question remains: what
> are the community statistics about installation and usage of multiple CA on
> android < 10? Am I the unlucky guy?
I can’t answer that myself, but from what I’ve seen many do a “hard
rollover”, or tell their Android users about possible issues. Or say “from
day X the profiles from CAT use the new certificates”.
> I read the documentation more carefully, and it says:
>
> Android 7.1 finally got its support for multiple trust roots; the
> eduroamCAT app will support that in a future update.
Oh. I did not check, I assumed by what people wrote here. In that case, it
may not be in eduroam CAT - but it for sure is in geteduroam.
> What is the current state of the app? Is it supported? To my tests it looks
> working, but only for Android >=10...
Which is funny, because the eduroam CAT app uses APIs that are officially
deprecated from >=10 ;-)
The current plan is to suggest from the eduroam CAT pages to use the
geteduroam App on Android 8+, since geteduroam doesn’t do anything below. The
geteduroam Apps do receive more development and updates, so in case we see
problems we may be able to fix that in the future. (In particular on Android
11 up, we need an entirely new way of configuring networks via the API/SDK
than what is done in the current eduroam CAT App.)
Paul
- [[cat-users]] Multiple CA - Android, Andrea Delise, 12/07/2020
- RE: [[cat-users]] Multiple CA - Android, Patrick Oberli, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/11/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/10/2020
- Re: [[cat-users]] Multiple CA - Android, Paul Dekkers, 12/07/2020
- Re: [[cat-users]] Multiple CA - Android, Andrea Delise, 12/07/2020
Archive powered by MHonArc 2.6.19.