Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Fetch-CRL utility updated to version 2.6.1
at http://www.eugridpma.org/distribution/util/fetch-crl/
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. Fetch-CRL utility updated to version 2.6.1
=========================================================================
As a courtesy service to the community, the EUGridPMA provides the
"fetch-crl" utility - originally developed by Fabio Hernandez, CC-IN2P3 -
to periodically retrieve CRLs from the web sites of the certification
authorities.
An updated release of this utility is now available, that fixes issues
related to localtime vs. UTC comparisons, and provides several new
features and usability enhancements.
Changes in version EGP 2.6.1
----------------------------
(2006.10.25)
* fixed local timezone vs UTC error in LastUpdate CRL validation comparison
* fixed time comparison is the one-hour LastUpdate/download tolerance
(both fixes thanks to Alain Roy)
* added support for directory names containing whitespace
* added support for syslog reporting (via -f option or SYSLOGFACILITY directive)
* SERVERCERTCHECK=no is now the default. It can be reset via the configuration
file, or using the "--check-server-certificate" commandline option
* the main configuration file location (formerly fixed to be
/etc/sysconfig/fetch-crl) can now be set via the variable $FETCH_CRL_SYSCONFIG
* logfile format timestamp and tag have been normalised
The new version is now available from the EUGridPMA web site at:
http://www.eugridpma.org/distribution/util/fetch-crl/
in RedHat Package Management (RPM) and gzipped-tarball format.
NOTE: the new version will by default ignore unknown web server certificates
when downloading CRLs. To revert to the "old" behaviour, use the
"--check-server-certificate" commandline option, or set SERVERCERTCHECK=yes
in the main configuration file/
Installation that use YUM package management can add
http://www.eugridpma.org/distribution/util/
to their yum.conf file and upgrade in that way.
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New IGTF distribution version 1.10 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New IGTF distribution version 1.10 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.10,
release 1, and it is now available for download from the Repository at
https://www.eugridpma.org/distribution/igtf/current/
or
https://www.eugridpma.org/distribution/igtf/1.10/
and this repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Changes from 1.9 to 1.10
------------------------
(17 October 2006)
* New public web page for the BEGrid CA in metadata info file (BE)
* New contact email addresses for:
HellasGrid and SEE-GRID (GR, SEE), INFN CA (IT), Grid-Ireland (IE),
DOEGrids CA (US/DOE), ASGCCA (TW), APAC (AU)
* New CERN CA added (root and on-line CA), managed by CERN IT/IS (CERN)
* New INFN CA issue 2006 to replace current one (expiring 2007) (IT)
* Retired SWITCH-SSSR hierarchy pending replacement of the tree (CH)
* Added new organisations to the SWITCH namespace (CH)
* Removed KISTI CA (KR)
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in November 2006 (of
course barring special circumstances).
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.10-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When the KCA has
been accepted by the TAGPMA, the location of this authority will change.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.10" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.10.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.10.tar.gz
igtf-preinstalled-bundle-slcs-1.10.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.10.jks" in the "accredited/jks/"
sub-directory.
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://www.eugridpma.org/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://www.eugridpma.org/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
