Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New important IGTF distribution version 1.18 available
2. Update on the UK e-Science CA
3. JKS keystore format change delayed
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New IGTF distribution version 1.18 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.16,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.17 to 1.18
-------------------------
* ASGCCCA-2007 added to Accredited Classic set again (TW)
* Withdrawn expired CA "Spain" (hash 13eab55e) (ES)
* Withdrawn expired CA "SiGNET" (hash 747183a5) (SI)
* Withdrawn discontinued CA "CERN" (hash fa3af1d7) (INT)
* Updated SWITCH (classic) signing namespace policies (CH)
* Added UNLPGrid CA (classic, hash b7bcb7b2) (AR)
* Added MaGrid CA (classic, hash 7b54708e) (MA)
* New contact email address for the SlovakGrid CA (SK)
* New UK e-Science CA hierarchy "-2007" added (98ef0ee5 and 367b75c3)
Note: during the transition period, two hierarchies (both old and "2007")
will be distributed. See section 2 in this newsletter for details (UK)
* (selected updates to repositories containing un-accredited CAs)
You are kindly requested to upgrade to this release in a timely fashion,
as the UK eScience hierarchy change goes into effect immediately.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Next Release
------------
The next release of the CA RPMs is to be expected in January 2008.
=====================================================================
Please remember new location of distribution "dist.eugridpma.info"
The trust anchor distribution is served by a separate, stand-alone
system that serves only this static content:
https://dist.eugridpma.info/distribution/
*** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS ***
=====================================================================
=========================================================================
2. Update on the UK e-Science CA
=========================================================================
During a routine audit of the UK e-Science PKI it was found that an
encrypted backup of the Root CA's private key was missing from the
secured environment, despite being locked in a safe when not in use.
It is important to emphasise that the security of the UK e-Science CA
- the accredited subordinate - was not affected; it has an entirely
different security infrastructure.
This could have happened for a number of reasons, not necessarily
maliciously. Investigations were not conclusive. However, even if
the key had been leaked from the secured environment, it was encrypted
with an extremely strong passphrase and will not be immediately
exploitable.
Since we take security very seriously, we believe the best way to
recover a fully trustworthy UK public key infrastructure (PKI) is to
be open about the possibility, however remote, of the key being
compromised.
Having done extensive testing, we have decided to rekey the PKI. So
this release will contain new CA certificates, which will sign all new
and rekeyed certificates. The current (old) PKI will have to be kept
in the distribution until all end entity certificates issued within it
have expired or otherwise moved to the new PKI.
Since the private key was encrypted with an extremely strong
passphrase, it is considered safe to keep the root certificate in the
distribution for up to another year, the natural lifetime of remaining
certificates in the PKI. Even a resourceful and malicious attacker
should not be able to break the passphrase within this timespan.
However, to speed up the process, we are considering and investigating
renewing existing certificates under the new PKI (but still as normal
certificates with a 13 months lifetime) - although this is poorly
supported by most client tools. It is of course technically possible
to force users to rekey, but this is highly inconvenient with a
userbase of this size, and is not considered necessary at this time.
In either case, since we are limited to 13 months lifetime, and do not
plan to issue shorter lifetime certificates at this time, renewals or
rekeying would have to be distributed over several months to prevent
concentration of all subsequent renewals within a short space of time.
There will be an associated update to the CP/CPS of the CAs to cover
the new PKI. In accordance with the policy, it is considered a
security update so they will take effect immediately. Other issues
planned for new CP/CPS releases will be postponed to allow time for
the usual consultation.
Jens Jensen, UK e-Science CA Manager
IGTF Notice:
This issue has been communicated to the IGTF previously and assessed
to pose an extremely low risk. The reaction of the UK e-Science CA and
the response has been coordinated. We thank our Relying Parties for
their understanding. Detailed questions, if any, should be sent to
the UK e-Science CA.
=========================================================================
3. JKS keystore format change delayed
=========================================================================
After the announcement of the planned JKS format change, worry
was expressed as to the compatibility with software that is still
being deployed. The change to a new JKS format with larget key
sized has therefore been put on a temporary hold.
This also allows relying parties to apply this important update
release without the need to simultaneously change the software.
The Java KeyStores distributed by the EUGridPMA has so far been
compatible with Java release 1.4 and earlier. Unfortunately, this implied
that keys with a size larger than 2048 bits could not be included.
The format of the keystore will change so as to be able to include the
larget CA keys that are now becoming prevalent in the Distribution. This
means that for the larger key sizes the JKS format will no longer be
compatible with Java releases 1.4 and lower. A more recent Java
installation will be required to use the new keystore format.
The new keystore format will be introduced in a future release, and
then contain all CA keys in the IGTF Distribution.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.18-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.18" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.18.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic", "mics", and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.18.tar.gz
igtf-preinstalled-bundle-slcs-1.18.tar.gz
igtf-preinstalled-bundle-mics-1.18.tar.gz
* those CAs whose key-length is less than or equal to 2048 bits are also
available in a Java KeyStore (JKS), whose password is "" (empty string).
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.18.jks" in the "accredited/jks/"
sub-directory (also for -slcs).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
