eugridpma-announce July 2006

eugridpma-announce@nikhef.nl

1 participants
2 discussions

Re: [eugridpma-announce] [apgrid-pma:01195] [igtf-general] New IGTF distribution version 1.7 available
by David Groep 26 Jul '06

26 Jul '06

Hi David, all, David Bannon wrote: > Hmm, as in the past, the new bundle appears to contain sites whose CRLs > are not available as indicated. This release seems to have added one > more, ba2f39ca.r0 That one was already in the list :-) Anyway, the following CAs are involved: 617ff41b: alias = KEK this one serves it from https, but it is available. If one uses for example a recent version of "fetch-crl" (v2.5.1+), with the appropriate "-n" option, it will be downloaded correctly. b38b4d8c: alias = Globus-CA-service This CA is NOT part of the accredited fabric, and is not in the accredited/ directory either (but in "Worthless", with some disclaimers). ba2f39ca: alias = IHEP Also uses https, as discussed. e1fce4e9: alias = FNAL_KCA This is a non-accredited experimental kCA, which, being a SLCS, will never issue CRLs (since that does not make sense for a SLCS). The .info file does not contain a crl_url and there is no .crl_url file in the distribution either -- so do download attempts should be made. There was a problem yesterday that the CRL for the new UKeScience off-line Root was not available. Since, the appropriate number of people have gotten together so that a quorum was present to generate the CRL (2 our of 3 is needed). I've seen no errors since this morning for UKeScience. > > >>617ff41b.r0 >>b38b4d8c.r0 >>ba2f39ca.r0 >>e1fce4e9.r0 > > >>From one point of view, all this means is that we are adding more > entries in our error logs but I suggest its more important than that. Do > others agree ? As far as the https:// CRLs are concerned, it would help quite a lot to change over to plain http, if only to reduce the general confusion out there in the wild ;-) Hope this helps a bit, Cheers, DavidG. > > David > > > > > On Mon, 2006-07-24 at 14:13 +0200, David Groep wrote: > >>Dear CAs, Relying Parties, Users, and all others interested, >> >>In this announcement of the EUGridPMA: >> >> 1. New IGTF distribution version 1.7 available >> >>We hope that you find this update useful and welcome any comments you >>may have. Also, feel free to redistribute this information widely as >>you see appropriate. >> >> Regards, >> David Groep >> >>For more information about this newsletter and the mailing list, >>please refer to the EUGridPMA web site at https://www.eugridpma.org/ >> >> >>========================================================================= >>1. New IGTF distribution version 1.7 available >>========================================================================= >> >> >>A new distribution of Accredited Authorities by the EUGridPMA, based >>on the IGTF Common Source, is now available. It includes the newly >>accredited Authorities by all IGTF Members. This is version 1.7, >>release 1, and it is now available for download from the Repository at >> >> https://www.eugridpma.org/distribution/igtf/current/ >>or >> https://www.eugridpma.org/distribution/igtf/1.7/ >> >>You can download the new packages and install them at your convenience. >>If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, >>DEISA, NAREGI or others) you may want to await your project announcement >>before installing this release. >> >>Changes from 1.6 to 1.7: >> >> * removed CESNET-old from accredited list and obsoleted in RPM >> distribution >> * Added new accredited SRCE (Croatia) classic CA >> * Added new accredited BrGrid (Brazil) classic CA >> * New root and online CA certificates for updated UKeScience CA >> >> >>A summary of changes can also be found in the distribution. >> >> >>Next Release >>------------ >>The next release of the CA RPMs is to be expected in August 2006 (of course >>barring special circumstances). >> >> >> >>========================================================================= >>STANDARD CLAUSES AND REPEATED NOTICES: Distribution information >>========================================================================= >> >>Notice on directory structure >>----------------------------- >>*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED >> USING THE ca_policy_igtf-classic-1.7-1.noarch.rpm ARE ACCREDITED >> >> Do *not* install certificates from the "worthless/" or "experimental/", >> directories, except if you yourself review and accept their policy and >> practice statement. The EUGridPMA provides these certificates in >> this format for your convenience only, and to allow graceful changeover >> for legacy installations. >> >>*** The Fermilab Kerberized CA, although not an accredited CA according >> to the "classic" profile, has been available from the EUGridPMA >> repository before in the "others/" directory. Due to the reorganization, >> this authority has moved to the "experimental/" area. When the KCA has >> been accepted by the TAGPMA, the location of this authority will change. >> >>*** All individual CAs packages, as well as the bundles, have the same >> (common) version number "1.7" and release "1". >> >> >>Distribution formats >>-------------------- >>* the distribution traditionally contained a set of RPMs and tar-balls >> per accredited authorities, as well as meta-RPMs that depends on the RPMs >> of those accredited. >> >>* the "tar-bundle" that can be used to install the authorities in a >> local trust directory using the "./configure && make install" >> mechanism has been renamed to avoid confusion. It is called: >> igtf-policy-installation-bundle-1.7.tar.gz >> It has the same functionality and can still be found in the >> "accredited/" subdirectory. >> >>* the accredited directory now contains two additional tar-balls that >> contain, respectively, *all* "classic" and "slcs" accredited CAs: >> igtf-preinstalled-bundle-classic-1.7.tar.gz >> igtf-preinstalled-bundle-slcs-1.7.tar.gz >> (note there are no SLCS-accredited authorities at this time) >> >>* those CAs whose key-length is less than 4095 bits are also >> available in a Java KeyStore (JKS), whose password is "eugridpma". >> These is both a JKS for each individual CA, as well as a >> "igtf-policy-accredited-classic-1.7.jks" in the "accredited/jks/" >> sub-directory. >> >> >>APT and Yum >>----------- >>As always, the repository is suitable for "yum" based automatic updates, >>by adding to the yum.conf file: >> >> [eugridpma] >> name=EUGridPMA >> baseurl=http://www.eugridpma.org/distribution/igtf/current/ >> gpgcheck=1 >> >>Also "apt" is supported. For details, see >> http://www.eugridpma.org/distribution/igtf/current/apt/README.txt >> >>Large deployment projects are kindly requested to mirror these directories >>in their own distribution repositories. >> >> >>RPM GPG signing >>--------------- >>Also this new RPM distribution is distributed with GPG-signed RPMs. The >>key (ID 3CDBBC71) has been uploaded to the public key servers, along with >>my signature as the EUGridPMA Chair (keyID 6F298418). The key is also >>contained in the repository. You will need this key if you enable GPG >>checking for automatic updates in "yum" or "apt". >>Please remember to validate this distribution against the TACAR >>trusted repository (https://www.tacar.org/) where possible. >> >> >>Suggestions >>----------- >>If you have suggestions or improvements for the distribution format, >>to have it better suit your needs, please contact the PMA at >><info(a)eugridpma.org>. Note that there is be a common distribution format >>across the entire IGTF (i.e. all three PMAs). >> >> -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New IGTF distribution version 1.7 available
by David Groep 24 Jul '06

24 Jul '06

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New IGTF distribution version 1.7 available We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.7 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.7, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/current/ or https://www.eugridpma.org/distribution/igtf/1.7/ You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Changes from 1.6 to 1.7: * removed CESNET-old from accredited list and obsoleted in RPM distribution * Added new accredited SRCE (Croatia) classic CA * Added new accredited BrGrid (Brazil) classic CA * New root and online CA certificates for updated UKeScience CA A summary of changes can also be found in the distribution. Next Release ------------ The next release of the CA RPMs is to be expected in August 2006 (of course barring special circumstances). ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.7-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.7" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.7.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.7.tar.gz igtf-preinstalled-bundle-slcs-1.7.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.7.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce July 2006