Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Authentication Profile "Member Integrated Credential Services"
(MICS) introduced
2. New IGTF distribution version 1.16 available with many changes
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. Authentication Profile "Member Integrated Credential Services"
(MICS) introduced
=========================================================================
The International Grid Trust Federation has approved a new Authentication
Profile against which issuing authorities will be accredited. A MICS is
an automated system to issue X.509 formatted identity assertions based on
pre- existing identity data maintained by a federation or large
organization – the end-entity certificate is thus based on a membership
or authentication system maintained by the organization or federation.
The goal is to leverage any existing, well-established identity
management system to generate X.509
certificates fully compatible with
those issued under the Classic Authentication Profile.
More information regarding this Profile, as well as the fulltext of the
document, can be obtained from the web at
http://www.tagpma.org/files/Final_MICS_Profile_MXCity.pdf
and at the EUGridPMA and TAGPMA web sites, specifically
http://www.tagpma.org/authn_profiles
=========================================================================
2. New IGTF distribution version 1.16 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.16,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.15 to 1.16
-------------------------
(8 August 2007)
* A new profile for Member-Integrated Credential Services (MICS), has
been defined by the IGTF. A policy nstallation bundle for authorities
accredited under the MICS profile has been added to the distribution.
Please refer to the IGTF web site at http://www.gridpma.org/ for a
description of the MICS profile.
* Corrected namespaces for for APAC CA (AU)
* Added REUNA CA as a classic CA (CL)
* Added NCSA-MICS and NCSA-SLCS CAs (US)
* Added Ecole polytechnique federale de Lausanne to SWITCH namespace (CH)
* Added new KISTI (2007) classic CA (KR)
* Added Latin American and Caribbean Catch-all Grid CA (TAGPMA)
* Obsoleted expired UKeScience (01621954) Root CA (GB)
* Obsoleted expired HellasGrid-old (efe78092) Root CA (GR)
* some new roots added to the worthless area (these are not accredited CAs!)
This release re-introduces a new KISTI CA (Korea), based on a new procedures
and a new root certificate and keypair. For clarity, the brief name of the
CA has been changed to "KISTI-2007". This CA replaces the old KISTI CA that
was withdrawn in the 1.10 release.
The new NCSA-MICS CA has been accredited under the new MICS Profile. To
install this CA via a policy bundle, you MUST install the new policy
bundle "ca_policy_igtf-mics" manually, or specify --with-profile=mics
explicitly in your build commands. A simple upgrade of the existing
profile set ("classic" and "slcs") will NOT trigger the installation of
the new MICS bundle and the NCSA-MICS CA.
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Next Release
------------
The next release of the CA RPMs is to be expected in September 2007.
=========================================================================
Please remember new location of distribution "dist.eugridpma.info"
=========================================================================
The trust anchor distribution is served by a separate, stand-alone
system that serves only this static content:
https://dist.eugridpma.info/distribution/
with deep-redirection provided from the old download location.
The trust anchors in the distribution directory continue are digitally
signed with the EUGridPMA PGP key "3" (see details at the end of this
newsletter).
*** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS ***
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.16-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.16" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.16.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.16.tar.gz
igtf-preinstalled-bundle-slcs-1.16.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.16.jks" in the "accredited/jks/"
sub-directory (also for -slcs).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
