Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New distribution (0.31) with repairs and clarifications
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New distribution version 0.31
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, release
version 0.31, is now available for download from the EUGridPMA Repository
https://www.eugridpma.org/distribution/current/
Note that this updates the previous release that was issued three days
ago. There are two reasons for this update:
* The Russian Data Intensive Grid (RDIG) CA was accidentally
left out of the accredited list. Thus, if you install the
old release, you will not get the RDIG CA, contrary to the
release notes.
* There was confusion about which CAs were actually accredited,
and are thus "safe" to install in a production system
*ONLY* CAs IN THE "accredited/" DIRECTORY and
THE CAs INSTALLED USING THE ca_policy_eugridpma-0.31-1.noarch.rpm
ARE ACCREDITED
Do *not* install certificates from the "worthless/", "other/",
or "discontinued/" directories, except if you your self review
and accept their policy and practice statement. The EUGridPMA
provides these certificates in this format for your convenience
only, and to allow graceful changeover for legacy installations.
You can download the new packages and install them at your convenience.
Changes from 0.30 to 0.31
-------------------------
(15 July 2005)
* Corrected packaging problem which left RDIG out of accredited CA group
* renamed the "unknown/" directory to "discontinued/"
* Added explanatory text to the distribution regarding the "other/",
"worthless/" and "discontinued/" directories
For those using RPM based linux distribution, a "meta-RPM" is available
from the repository, ca_policy_eugridpma-0.31-1.noarch.rpm, that contains
dependencies on the RPMs of all accredited CAs. The repository is
suitable for "yum" based automatic updates.
This is the first RPM distribution that will (on an experimental basis)
used GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to
the public key servers, along with my signature as the EUGridPMA
Chair (keyID 6F298418). The key is also contained in the repository.
The next release of the CA RPMs is to be expected around August 2005,
(of course barring special circumstances). The format of those new releases
is currently under considation. If you want to contribute to the
discussion or to suggest improvements to have it better suit your needs,
please contact the PMA at <info(a)eugridpma.org>. There will be a common
distribution format across the entire IGTF (i.e. all three PMAs).
Dear CAs, Relying Parties, Users, and all others interested,
This is the EUGridPMA "announcements" news letter to
keep relying parties and other interested parties informed of
important news regarding your trusted certification authorities.
In this announcement of the EUGridPMA:
1. New distribution (0.30) to include new CAs and important changes
2. International Grid Trust Federation (IGTF) to extend trust
fabric to a global level about to be established
3. Overview of changes for member authorities
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New distribution version 0.30
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, release
version 0.30, is now available for download from the EUGridPMA Repository
https://www.eugridpma.org/distribution/current/
You can download the new packages and install them at your convenience.
Changes from 0.29 to 0.30
-------------------------
(12 July 2005)
* Added IHEP CA for China
* Added DFN GridGermany CA (Root, User and Server CAs)
* Added RDIG CA (will replace the Russian DataGrid CA)
* New name space allocation for the IUCC CA: "/C=IL/O=IUCC/*"
* Added updated CESNET Root cert and renamed the old one to "CESNET-old"
for legacy compatibility. The new CESNET CA started operating June 17th
* RPMs are now signed (experimentally) with PGP keyID 3CDBBC71. This key,
the "EUGridPMA Distribution Signing Key 3" can be obtained from the
popular PGP key servers, where it has been signed by the current Chair,
David Groep. It can also be downloaded from the web distribution site:
GPG-KEY-EUGridPMA-RPM-3
For those using RPM based Linux distribution, a "meta-RPM" is available
from the repository, ca_policy_eugridpma-0.30-1.noarch.rpm, that contains
dependencies on the RPMs of all accredited CAs. The repository is
suitable for "yum" based automatic updates.
This is the first RPM distribution that will (on an experimental basis)
used GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to
the public key servers, along with my signature as the EUGridPMA
Chair (keyID 6F298418). The key is also contained in the repository.
The next release of the CA RPMs is to be expected around August 2005,
(of course barring special circumstances). The format of those new releases
is currently under consideration. If you want to contribute to the
discussion or to suggest improvements to have it better suit your needs,
please contact the PMA at <info(a)eugridpma.org>. There will be a common
distribution format across the entire IGTF (i.e. all three PMAs).
=========================================================================
2. The International Grid Trust Federation Developments
=========================================================================
Over the last year significant progress has been made in building
consensus on common trust mechanisms both in Europe, the Asia-Pacific
Region and in the America's. As early as 2002, during GGF7, the "Tokyo
Accord" set the direction to move towards a common, global, trust fabric
that will enable relying parties to easily evaluate certification
authorities by using common guidelines.
There are now three "regional" PMAs. Apart from the EUGridPMA, there
is one in the Asia-Pacific region (www.apgridpma.org) and at GGF14
the Americas Grid PMA (www.tagpma.org) was formally established.
All three PMAs have agreed to use a common set of "authentication
profiles" to which authorities will be accredited. This also means
that all accredited CAs, regardless of their location in the world
and regardless of the accrediting PMA, meet or exceed the same
set of minimum requirements. You, as relying parties, will then
be able to more effectively assess CAs worldwide, and incorporate
these efficiently in your trust infrastructure.
The current EUGridPMA Minimum Requirements will constitute the first
authentication profile, that of "Classic X.509 CAs with secured
infrastructure" (shortname "classic").
The foundation of the IGTF is foreseen for the very near future. The
EUGridPMA will keep you informed about further developments in this area.
For more information, please see the IGTF web site:
http://www.gridpma.org/
=========================================================================
3. Overview of changes for member authorities
=========================================================================
The following CP/CPS changes were approved by the EUGridPMA. The
modification of the policy documents by the authorities below comply
with the minimum requirements and have been reviewed by the PMA.
They are listed below for informational purposes to our relying parties:
* New authorities accredited under the "classic" profile include
the DFN (Deutsche Forschung Netz) Grid-PKI, the IHEP (China) CA, and
the Russian Data Intensive Grid CA (which will replace the Russian
DataGrid CA).
* UK e-Science CA
A new CP/CPS took effect on May 15th.
It does not affect procedures except to tighten them. The
current practice is described in more detail.
See http://www.grid-support.ac.uk/ca/ for the new version
* Grid-FR
The emailAddress name component has been removed from all
certificate subject names.
* GermanGrid CA (GridKA-CA)
New policy version 1.2 clarifies wording, especially in sections
3.1.9 Authentication of Individual Identity.
* CESNET
The CESNET CA is switching both the software and the hardware
(HSM based) which means that the procedures are going to change
rather fundamentally (that's why the major version number was
changed).
More information on the CESNET CA web site http://www.cesnet.cz/pki/
=========================================================================
