-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear CAs, Relying Parties, Users, and all others interested,
After the release of distribution 1.1, I have received a number of valuable
suggestions to improve the distribution format, in particular for the
tar-based installation bundle. Also, the meta-RPM contained a typo that
prevented the (discontinued) ca_CNRS-DataGrid to be obsoleted correctly.
Therefore, a new release (R2) of this version 1.1 has been made
available, containing these changes:
~ Changes from 1.1 R1 to 1.1 R2
~ -----------------------------
~ (22 Feb 2006)
~ NOTE: THERE ARE NO CHANGES TO THE CONTENT IN THIS SUB-RELEASE
~ * Corrected typo in the obsoletion of the old ca_CNRS-DataGrid
~ * Improved understandability of the igtf-policy-installation-bundle
The igtf-policy-installation-bundle-1.1.tar.gz now contains a README.txt
file with more detailed instructions and a clearer internal structure.
Comments are of course always welcome.
Regards,
David Groep.
=========================================================================
Next Release
=========================================================================
The next release of the CA RPMs is to be expected around mid-March 2006,
(of course barring special circumstances).
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. There will be a common distribution format across
the entire IGTF (i.e. all three PMAs).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFD/DbLcnpzXG8phBgRAoK/AJ9GpTAFoE7f3CJXYaZ+Uy/qy1ofHQCeJrJJ
SUMUn3QIQC/Hgm76IQYTBUc=
=PA5G
-----END PGP SIGNATURE-----
From: David Groep <info(a)eugridpma.org>
Date: Mon, 20 Feb 2005 15:00:00 +0100
Subject: EUGridPMA (IGTF) CA distribution 1.1 and updates
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Release frequency increase
2. New distribution 1.1 available with new authorities
3. Distribution changes and improved deployability
4. Namespace constraints policies
5. Informational services experiments from the EUGridPMA
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. Release frequency increase
=========================================================================
On the request of the relying parties expressed in the IGTF and CA-OPS
meetings during GGF16 in Athens, Greece, there will be more frequent
releases of the IGTF distribution. In this way, changes such as
CRL location changes, and newly accredited CAs, will be available to
relying parties faster.
In the new scheme, the maximum delay for a new distribution will be
two (2) weeks after all technical information has been made available.
The time to deployment of any such regular update release is left to
the descretion of the relying parties.
Specific security updates will be released more frequently as necessary,
and should preferably be implemented as soon as possible. Such security
updates will be clearly marked as such.
=========================================================================
2. New distribution (1.1) with new authorities
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.1,
release 1, and it is now available for download from the Repository at
https://www.eugridpma.org/distribution/igtf/1.1/
or
https://www.eugridpma.org/distribution/igtf/current/
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
New Authorities:
APAC Australian Partnership for Advanced Computing
KEK High Energy Accelerator Research Organization (Japan)
NAREGI National Research Grid Initiative (Japan)
pkIRISGrid IRISGrid PKI (RedIRIS, Spain)
Modified:
GridCanada added new root certificate
SWITCH new Personal and Server CA certificates
SWITCH-CA2 new CA hierarchy based off the SwissSign Silver Root
Discontinued:
Datagrid-FR no longer contains valid end-entity certs
CyGrid-old expired and replaces by "CyGrid"
This release also contains various updates and corrections to the CRL
download locations and the CA contact information.
A detailed summary of changes can be found in the distribution.
Notice on directory structure
-----------------------------
*** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.0-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When the KCA has
been accepted by the TAGPMA, the location of this authority will change.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.1" and release "1".
=========================================================================
3. Distribution changes and improved deployability
=========================================================================
We warmly welcome your comments and suggestions to improve deployability
of the CA distribution. Based on some suggestions received, some changes
have been implemented in this release.
The distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
In this release, we add several new components.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.1.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.1.tar.gz
igtf-preinstalled-bundle-slcs-1.1.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.1.jks" in the "accredited/jks/"
sub-directory.
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://www.eugridpma.org/distribution/igtf/current/
gpgcheck=1
and also "apt" is supported. For details, see
http://www.eugridpma.org/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
=========================================================================
4. Namespace constraints policies
=========================================================================
The assertions by the IGTF on the compliance of the authorities
only extend within the namespaces as accredited by the PMAs. This
ensures that any certificate subject name corresponds to one and
only one entity, and allows you to rely on this subject name
for subsequent decisions. This uniqueness applies only
*within the namespace constraints* set by the PMAs.
For this reason, the distribution has, since its conception, contained
a set of "signing_policy" files that specify exactly what subject
names of each CA are subject to the IGTF assertions.
On request of several middleware development projects, this very same
set of namespace constraints is now also specified in a new format in
a separate ".namespaces" file.
There is no difference in content between these two files, but the
format and interpreting semantics are different.
For information regarding the new ".namespaces" file, please see
http://www.eugridpma.org/documentation/
In the future, this format may yet again be extended or replaced by
another format, as discussions within the Global Grid Forum continue.
Your participation, via the CA-OPS Working Group, is of course welcome.
=========================================================================
5. Informational Services from the EUGridPMA
=========================================================================
To better service the community, contact information of the members
is made available from the EUGridPMA web site. Look under "membership"
and find the web site and a link to the Policy and Practice Statements.
Experimentally, the following services are also available:
* a "subject locator" - given a DN, find out which Authority manages
that namespace:
http://www.eugridpma.org/showca.php
* Status News - short notices by the PMA that do not warrant issuing
a newsletter because of their transient nature.
http://www.eugridpma.org/statusnews/
In the near future, this system will be enhanced with a more detailed
monitoring page that contains notices posted by the member authorities,
such as scheduled web site maintenance. This service will be kindly
provided by SiGNET.
=========================================================================
Next Release
=========================================================================
The next release of the CA RPMs is to be expected around mid-March 2006,
(of course barring special circumstances).
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. There will be a common distribution format across
the entire IGTF (i.e. all three PMAs).
