From: David Groep <info(a)eugridpma.org>
Date: Tue, 20 May 2006 12:00:00 +0200
Subject: New version of "fetch-crl" available and selected CRL issues
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Clock skew problem with HellasGrid and SEE-GRID CAs resolved
2. Fetch-CRL utility updated to deal with CRLs issued in the future
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. Clock skew problem with HellasGrid and SEE-GRID CAs resolved
=========================================================================
The following information is provided courtesy of the HellasGrid
and SEE-GRID-Catch-all Authorities:
A problem came into our attention regarding all the CRLs issued by
both HellasGrid and SEE-GRID CA starting from 5/5/2006.
For an unknown reason there was a clock skew of the computer running
the CA off-line services which resulted in setting the clock 23 days
forward in the future. [...] The result was that CRLs were issued and
published with the last update field having the date 28 May.
We have generated a new CRL with the current date that will fix the
problem [..], but a new [...] problem has been introduced. The
[previous version of] edg-fetch-crl, used by many Grid sites, performs
a check on the value of the last update field and refuses to download a
CRL that has a date older than the currently installed CRL (logging an
error via syslog).
This problem has been resolved as of May 19th, 11:26 hrs GMT.
In order for this new CRL to be correctly processed by the fetch-crl
utility, which is provided as a service by (amongst others) the EUGridPMA,
relying parties that use this version of fetch-crl should upgrade to the
latest version. Unless you upgrade to the new version of fetch-crl, the new,
correct, CRLs for the HellasGrid and SEE-GRID CAs will NOT be retrieved.
Please see section 2 of this announcement for details.
[thanks to Christos Kanellopoulos for the analysis of this issue]
=========================================================================
2. Fetch-CRL utility updated to deal with CRLs issued in the future
=========================================================================
As a courtesy service to the community, the EUGridPMA provides the
"fetch-crl" utility - originally developed by Fabio Hernandez, CC-IN2P3 -
to periodically retrieve CRLs from the web sites of the certification
authorities.
This utility is extremely careful in not replacing CRLs that already
exist locally by ones that are downloaded from the web. Versions up to and
including EGP-2.5.1 are slightly too careful, and will also refuse to
install a newly downloaded correct CRL if the currently installed one
has a issuance date in the future. Thus, versions <= EGP-2.5.1 cannot be
used to retrieve the corrected CRLs issued by the HellasGrid and SEE-GRID
CAs on May 19th.
A new version of fetch-crl (EGP-2.6.0) that corrects this issue, as well as
adding a non-suppressable warning about newly-downloaded but not-yet-valid
CRLs, is now available from the EUGridPMA web site at:
http://www.eugridpma.org/distribution/util/fetch-crl/
in RedHat Package Management (RPM) and gzipped-tarball format.
Changes in version EGP 2.6
--------------------------
(2006.05.20)
* if the current local CRL has a lastUpdate time in the future, and the
newly downloaded CRL is older that the current one, allow the
installation of the newly downloaded CRL and issue a warning.
* added non-suppressable warning in case the newly downloaded CRL has a
lastUpdate time in the future, but install that CRL anyway (as the local
clock might have been wrong).
Installation that use YUM package management can add
http://www.eugridpma.org/distribution/util/
to their yum.conf file and upgrade in that way.
=========================================================================
Additional Information
=========================================================================
Notice:
The next release of the IGTF Accredited Authority distribution is
expected in early June, 2006.
From: David Groep <info(a)eugridpma.org>
Date: Tue, 15 May 2006 10:00:00 +0200
Subject: IGTF (EUGridPMA) CA distribution 1.4 and updates
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New distribution 1.4 available
with updated NorduGrid root certificate
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New distribution (1.4) with new NordoGrid root certificate
=========================================================================
** Important Notice:
This release 1.4 is the first release after version 1.2. There is
and will not be a version 1.3 of the IGTF Release. Please see the
detailed CHANGES file in the distribution for details.
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.4,
release 1, and it is now available for download from the Repository at
https://www.eugridpma.org/distribution/igtf/1.4/
or
https://www.eugridpma.org/distribution/igtf/current/
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Modified accredited CAs:
NorduGrid Updated root trust anchor with extended lifetime.
A detailed summary of changes can be found in the distribution.
Notice on directory structure
-----------------------------
*** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.4-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When the KCA has
been accepted by the TAGPMA, the location of this authority will change.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.4" and release "1".
=========================================================================
Distribution information
=========================================================================
We warmly welcome your comments and suggestions to improve deployability
of the CA distribution.
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.2.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.4.tar.gz
igtf-preinstalled-bundle-slcs-1.4.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.4.jks" in the "accredited/jks/"
sub-directory.
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://www.eugridpma.org/distribution/igtf/current/
gpgcheck=1
and also "apt" is supported. For details, see
http://www.eugridpma.org/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
=========================================================================
Next Release
=========================================================================
The next release of the CA RPMs is to be expected in May 2006, (of course
barring special circumstances).
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. There will be a common distribution format across
the entire IGTF (i.e. all three PMAs).
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
