Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. International Grid Trust Federation to introduce new authorities
2. New distribution (1.0) with new layout and authorities
Summary of changes
Notice on directory structure
RPM distribution and meta-packages
Info meta-data for authorities
Obsoleting of the EUGridPMA meta-package by the IGTF policy
RPM GPG signing
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/https://www.eugridpma.org/newsletter/eugridpma-newsletter-20051025.txt
=========================================================================
1. International Grid Trust Federation to introduce new authorities
=========================================================================
With the foundation of the International Grid Trust Federation (IGTF)
on October 5th, the authentication profile (minimum requirements)
guidelines on X.509 CAs with secured infrastructure has been accepted
as the basis for accrediting "classic" authorities by all three PMAs:
not only the EUGridPMA, but also the APGridPMA (for the Asia Pacific
region) and the TAGPMA (covering the Americas).
In the AP region, four authorities have been accredited according
to this profile, following an in-depth review and an on-site audit.
This includes the two authorities (IHEP in Beijing and ASGCC in Taipei)
that were already previously accredited by the EUGridPMA.
The APGridPMA also brings in two new CAs: KISTI (South Korea) and
AIST (Japan).
The EUGridPMA will from now on distribute the entire corpus of
IGTF accredited CAs, regardless of their accrediting PMA (as announced
in the October 6th newsletter. Today, this includes the "classic"
profile only, but in the near future also the new profile covering
short-lived credential services ("slcs"). If you have previously
accepted the assurance level for classic CAs from the EUGridPMA, we
suggest you place equal trust in the IGTF "classic" profile. You
should make a new trust assessment with respect to the SLCS profile,
once this profile has been accepted by its maintaining body, the TAGPMA.
This advice is reflected in the upgrade path for the EUGridPMA
distribution format, as explained below.
For more information regarding the IGTF, please refer to the
IGTF or EUGridPMA web site at:
http://www.gridpma.org/
=========================================================================
2. New distribution (1.0) with new layout and formats
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. As several major changes
have been introduced in this release, and because of the use of a
common distribution format throughout the IGTF, the version number
has been bumped to 1.0. Future releases will sequentially increment
this number (1.1, 1.2 ... 1.9, 1.10, 1.11, ... 1.1201, etc.)
This is version 1.0, release 1, and it is now available for download
from the EUGridPMA repository at
https://www.eugridpma.org/distribution/igtf/1.0/
or
https://www.eugridpma.org/distribution/igtf/current/
You can download the new packages and install them at your convenience.
Summary of changes
------------------
Changes from 0.32 to 1.0
-------------------------
(25 October 2005)
* IGTF policy meta-packages replace EUGridPMA-only ones. The legacy
"ca_policy_eugridpma" RPMs now depend on their IGTF counterparts. The
EUGridPMA specific files will be withdrawn in a future release.
* New directory structure moves all data regarding accredited authorities
to the singe "accredited/" directory (including the policy meta-RPM)
* Tar-ball installation now supports multiple profiles and targets
* Meta-data (".info") for each CA added, and installed in trusted directory
* The "experimental" profile supersedes the "others/"areainthe distribution
(note: this affects the FNAL_KCA, which may shortly be added as an
accredited authority under a new Short-Lived Credential Services profile)
* Discontinued authorities are no longer distributed
* APGridPMA accreditations added: KISTI and AIST
* New EUGridPMA accreditations: TR-Grid and BalticGrid
* CRL URL for SiGNET changed to http instead of https
* Added compatibility namespace forNIIF "/C=HU/O=NIIF CA/OU=NIIF/OU=GRID/*"
Notice on directory structure
-----------------------------
*** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.0-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you your self review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When an
authentication profile (SLCS) suitable for the KCA has been
accepted by the TAGPMA, the location of this authority will be
reconsidered.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.0" and release "1".
RPM distribution and meta-packages
----------------------------------
For those using RPM based Linux distribution, a "meta-RPM" is available
from the repository, ca_policy_igtf-classic-1.0-1.noarch.rpm, that contains
dependencies on the RPMs of all accredited CAs. The repository is
suitable for "yum" based automatic updates, by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://www.eugridpma.org/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. See
http://www.eugridpma.org/distribution/igtf/current/apt/README.txt
for details.
Info meta-data for authorities
------------------------------
The RPM packages (and the files installed via the accredited tar bundle)
now also include a ".info" file for each installed root certificate.
This info file contains important meta-data regarding the CA, in a plain-
text "attribute=value" format. At a minimum, this file will contain:
alias preferred short name of the CA
status accreditation profile name (or "worthless/experimental")
email contact address of the CA for incidents
sha1fp SHA1 fingerprint of the certificate
version version number of the package that contains this CA
The file may contains comments (i.e. lines starting with "#"). For an
example, unpack the igtf-accredited bundle from the accredited/ directory:
igtf-policy-accredited-bundle-1.0.tar.gz
and look at, e.g., "igtf-policy-accredited-bundle-1.0/16da7552.info"
Obsoleting of the EUGridPMA meta-package by the IGTF policy
-----------------------------------------------------------
In previous releases, a similar meta-package for bulk installations,
called "ca_policy_eugridpma-classic-<ver>-<rel>" has been provided.
Following our recommendation to extend your trust to all IGTF accredited
"classic" authorities, you are requested now to install
"ca_policy_igtf-classic-1.0-1" and un-install the obsolete eugridpma-only
meta-package. There will no longer be a meta-package with only EUGridPMA
accredited CAs.
For compatibility purposes, the ca_policy_eugridpma-classic package is
still provided with release 1.0, but has a single dependency on the
entire ca_policy_igtf-classic bundle. If you do automatic updating
using this meta-package, you will *automatically* add all IGTF accredited
"classic" authorities to your list of trusted authorities.
For release 1.0, this means that KISTI and AIST will be added. We are
sure this matches the expectations of our relying parties, and
it implements the EUGridPMA and IGTF recommendations on compatible
assurance levels between the PMAs. For policy-related issues, please
refer to the IGTF Federation Document for details.
Similar considerations hold for the tar-based installation using the
"configure && make && make install" mechanism. This accredited bundle
(which supports all authentication profiles using the "--with-profile="
mechanism) also contains all IGTF accredited CAs.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where-ever possible.
=========================================================================
Next Release
=========================================================================
The next release of the CA RPMs is to be expected around November 2005,
(of course barring special circumstances).
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. There will be a common distribution format across
the entire IGTF (i.e. all three PMAs).
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
Today, at the 15th Global Grid Forum in Boston, the International Grid
Trust Federation was officially established. With this, the process
started almost five years ago has reached a new milestone:
http://www.gridpma.org/docs/igtf-newsrelease-20051005.pdf
The IGTF is a federation of certification authorities or grid policy
management authorities (grid PMAs), and the major grid infrastructure
projects that together define the policies and standards for grid
identity management. Comprising the three regional grid policy management
bodies, the EUGridPMA, the Asia Pacific Grid PMA (APGridPMA), and The
Americas GridPMA (TAGPMA), the federation today has 61 members and
covers 50 countries and regions.
The new federation builds on the foundations laid by the EUGridPMA. The
same minimum requirements on classic CAs that have been the basis of the
EUGridPMA have been adopted by all IGTF members, so that relying parties
can have the same level of trust in the CAs that are accredited by the
APGridPMA and the TAGPMA.
The new distribution of trust anchors will reflect this equivalence, by
distributing new common metapackages "ca_policy_igtf" that replaces the
current EUGridPMA-only bundles. The IGTF meta-packages will contain
all CAs accredited under a given profile, regardless of their regional
affiliation.
The APGridPMA and TAGPMA, at the same time enriched the federation with
new profiles that enable more high-quality identity providers to issue
certificates. They will be issuing credentials to users in their own
organisation, leveraging strong local methods of authentication, like
Kerberos.
These "short-lived credential generation services" usually issue (proxy)
certificates valid for hours or a few days, thus eliminating the need for
long-term key management by the end-user. It is expected that by November
this year the PMAs will be able to distribute a bundle of CAs accredited
under this new "SLCGS" Authentication Profile.
For the activities of the IGTF, pointers to all authentication profiles,
and the IGTF Charter, please go to the web site at:
http://www.gridpma.org/
or look at any of the regional PMA pages for the IGTF information.
A new distribution (0.33) is due by the end of October 2005.
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
