Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.28 available
=========================================================================
1. Updated IGTF distribution version 1.28 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.28, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.27 to 1.28
-------------------------
(9 March 2009)
* Added accredited classic ULAGrid CA (VE)
* Added accredited TACC Root and TACC Classic CAs (US)
* Updated NERSC CRL URL download location (US)
* Updated DOEGrids CRL URL download location (US)
* Extended life time of NorduGrid CA (1f0e8352) (DK,SE,NO,FI,IS)
* Added SigmaNet CALG CA (LV)
* Updated AEGIS CA root certificate to reflect TLD name change (RS)
* Added CRL for SWITCH-SLCS issuing CA (304cf809) (CH)
Other updates to miscellaneous CAs:
* Worthless CA for EGEE "GILDA" testbed added to 'worthless' section (EU)
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Distribution format changes
---------------------------
Note that the location of the igtf-policy-installation-bundle tar-ball
has changed in release 1.26. It is now in the root of the distribution
area, as it contains also all worthless and experimental CAs.
The per-profile meta-data files (ca_policy_igtf-*.info) as well as the
top-level meta-data file (ca_policy_igtf.info) now also contain a list
of obsoleted CAs. Previously, this information was only embedded in the
RPM distribution. The "obsoletes" attribute contains a comma-separated
list of aliases for all CAs that have been (temporarily) withdrawn
for any reason.
Next Release
------------
The next release of the distribution is expected in April 2009.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES
=========================================================================
Subscribing to the EUGridPMA Newsletter
---------------------------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
What is contained in the IGTF Trust Anchor Distribution
-------------------------------------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number and release.
Distribution formats
--------------------
* the distribution containes RPMs and tar-balls of each accredited authority,
as well as meta-RPMs that depends on the RPMs of those accredited.
* the tar "bundle" can be used to install the authorities in a local trust
anchor directory using the "./configure && make install" process:
igtf-policy-installation-bundle-<VERSION>.tar.gz
* the accredited directory contains tar-balls for all "classic", "mics",
and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-<VERSION>.tar.gz
igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz
igtf-preinstalled-bundle-mics-<VERSION>.tar.gz
* those CAs whose key-length is less than or equal to 2048 bits are also
available in a Java KeyStore (JKS), whose password is "" (empty string).
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/"
sub-directory (also for -slcs and -mics).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
