eugridpma-announce May 2008

eugridpma-announce@nikhef.nl

1 participants
2 discussions

Report on the Debian OpenSSL vulnerability on the IGTF Trust Fabric
by David Groep 24 May '08

24 May '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Impact of the Debian OpenSSL vulnerability on the IGTF ========================================================================= 1. Impact of the Debian OpenSSL vulnerability on the IGTF ========================================================================= A serious Debian (and derivatives, including Ubuntu) OpenSSL vulnerability (CVE-2008-0166) was announced on May 13th, related to a predictable random number generator in Debian's OpenSSL package: http://www.debian.org/security/2008/dsa-1571 This can also affect public key certificates used within the IGTF and the Grid in general, if certificate requests have been generated on a vulnerable system. It can impact both the CA itself (if its own key pair was generated on such a system, as well as all subscribers (users, hosts and services). The IGTF Accredited Authorities, with support from security officers from several grid sites and our Relying Party members, have investigated the impact of CVE-2008-0166 on the entire IGTF trust fabric. - one CA certificate was based on weak material. This certificate was immediately replaced and an updated IGTF Distribution (1.21) was released on May 16th. More details are in the May 16th newsletter at https://www.eugridpma.org/newsletter/eugridpma-newsletter-20080516.txt If you have not yet installed the 1.21 release, please do so as soon as reasonably possible. If you have the old UK e-Science root certificate installed in your browser, you should update this one as well. - all Accredited CAs have reviewed the currently valid certificates for all subscribers since May 13th. Certificates based on weak key material have all been revoked by now. To ensure your trust infrastructure is safe, please make sure you have downloaded the latest CRLs, and keep these up-to-date at least once a day. Utilities for Unix based systems are available on the IGTF web site (https://dist.eugridpma.info/distribution/util/) Modern browsers can automatically download new CRLs periodically. If you have CRLs installed in your browser, make sure these are also up-to-date. At this point in time, there is no reason to disable any specific CAs from the IGTF Trust Anchor distribution in relation to this vulnerability. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ Next Release ------------ The next release of the CA RPMs is to be expected in June 2008. -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Important update to the IGTF distribution - version 1.21 available
by David Groep 16 May '08

16 May '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Important IGTF distribution version 1.21 available with updated trust anchor ========================================================================= 1. Important IGTF distribution version 1.21 available ========================================================================= The UKeScience Root Certificate ("2007") is involved with CVE-2008-0166 and may have been based on weak key material generated on an (off-line) Debian system with a predictable random number generator. It is important that this root certificate be REPLACED with an updated version based on newly generated key material. A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the updated key material and Authorities by all IGTF Members. This is version 1.21, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ and will soon be available on all mirrors. Changes from 1.20 to 1.21 ------------------------- (16 May 2008) * IMPORTANT update of the UKeScience Root and Issuing CAs (UK) Note that the subject names and file names of the new certificates are *the same* as the original ones, only the key material has changed! The issue affects the root certificate only. As in a standard IGTF trust anchor installation, the subordinate issuing CA is also installed in the repository and this certificate is taken preferentially over any user-supplied version, the impact of this issue is somewhat limited. For software that honours the "signing_policy" or "namespaces" relying-party defined name space constraints setting, no end-entity certificates can easily be impersonated. However, we strongly advise to update as soon as possible! For technical reasons, both the root and issuing CA certificate need to be replaced, although only the root certificate is affected by the vulnerability. Good fingerprints of the updated certificates are: $ openssl x509 -subject -fingerprint -sha1 -noout -in 98ef0ee5.0 subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E $ openssl x509 -subject -fingerprint -sha1 -noout -in 367b75c3.0 subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = CA:1C:B6:6C:A9:E3:27:4D:F7:3E:A9:EB:6A:33:3F:C1:A2:B1:B8:D7 whereas the weak certificates are: subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = B1:77:5E:BB:11:13:B4:B5:0E:40:57:F1:E0:6A:BE:B9:4E:44:B7:45 subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = 31:C1:93:3D:E8:9C:C4:B7:8A:02:B5:2D:56:D5:6B:43:56:0B:9F:CA If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in July 2008. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.20-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.20" and release "1". Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-1.20.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.20.tar.gz igtf-preinstalled-bundle-slcs-1.20.tar.gz igtf-preinstalled-bundle-mics-1.20.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.18.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce May 2008