eugridpma-announce January 2009

eugridpma-announce@nikhef.nl

1 participants
2 discussions

Updated IGTF distribution version 1.27 and fetch-crl 2.7.0 available
by David Groep 30 Jan '09

30 Jan '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.27 available 2. Fetch-crl utlity version 2.7.0 released ========================================================================= 1. Updated IGTF distribution version 1.27 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.27, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.26 to 1.27 ------------------------- * Corrected signing namespace for BEGrid2008 CA (BE) * Added NERSC SLCS CA (US) * ASGCCA-2007 changed signature algorithm from MD5 to SHA1 (TW) * Added new CNRS2 hierarchy: CNRS2 -> CNRS2-Projets -> CNRS2-Grid-FR (FR) * Updated IUCC root certificate (IL) * Obsoleted EstonianGrid CA (EE) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected on Monday, 2 March 2009. ========================================================================= 2. Fetch-crl utility version 2.7.0 released ========================================================================= The 'fetch-crl' utility is a utility to ensure that Certificate Revocation Lists (CRLs) are periodically retrieved from the web sites of the respective Certification Authorities, and installed on the local system in a trust anchor directory. It is intended for use with those (grid) systems that follow the OpenSSL method of trust anchor distribution. The fetch-crl utility has been updated with bug fixes and new functionality, as described in the CHANGES file below. The most important change is that this version will NOT REPORT transient download errors unless they persist for more than 24 hours. Previously, this function was enabled by the "-a" option or the CRL_AGING_THRESHOLD, but was set to 0 (zero) by default. The new version of fetch-crl can be obained from the IGTF mirror sites and at https://dist.eugridpma.info/distribution/util/fetch-crl/ where you can retrieve version 2.7.0 as well as older versions. Changes in version EGP 2.7.0 ---------------------------- * Warnings and errors are now counted. If there are errors in the download or verification process for one or more CRLs, the exit status will be 1; if there are errors in the local setup or in the script invocation, the exit status will be 2. * The installed CRLs no longer have the textual representation of the CRL, but only the PEM data blob, thus reducing IO and memory requirements. * the CRL aging threshold is now set by default to 24 hours. The previous default was 0. The CRL aging threshold is set in the config file using CRL_AGING_THRESHOLD=<xx>, or with the "-a" command-line argument. * Default network timeouts reduced to 10 seconds (was 30) and retries to 2 * Added caching and conditional downloading. When CACHEDIR is set, the original downloads are preserved and wget timestamping mode enabled. When the content did not change, only the timestamp on the installed CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based on the name of the crl_url file, otherwise it is taken from the CRL itself. - The CACHEDIR must be exclusively writable by the user running fetch-crl - Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl * Added RESETPATHMODE setting in sysconfig. It defines whether or not to re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL may be done based on the old path. yes=always replace; searchopenssl=search for openssl first and then reset; no=keep original path, whatever that may be (may be empty if called from cron) Default="yes". This replaces the hard-coded path in the tool. * Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards- compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that have a CRL-like name and ought to have CRL content, but currently do not. * Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially addressed. Bug 20062 can be remedied with WGET_OPTS arguments. Addresses OSG ticket 4673. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

No threat to IGTF PKI from OpenSSL DSA/ECDSA issue CVE-2008-5077
by David Groep 08 Jan '09

08 Jan '09

Dear IGTF relying parties, The OpenSSL Security Team released an advisory [1] on January 7th, regarding incorrect checks for malformed signatures when DSA or ECDSA keys are used. The IGTF Risk Assessment Team (RAT) [2] would like to inform you that NONE of the IGTF-accredited certification authorities use such keys to sign any certificate. This means this vulnerability does not constitute any risk to relying parties when they authenticate a server presenting a certificates issued by an IGTF-accredited CA. None of the CAs accredited by the IGTF issue, or have issued in the past, certificates using signature algorithms other than RSA. On behalf of the IGTF/IGTF RAT Sincerely, Jim Basney David Groep Vinod Rebello Willy Weisz [1] http://www.openssl.org/news/secadv_20090107.txt [2] http://tagpma.es.net/wiki/bin/view/IGTF-RAT -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce January 2009