Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.63 available
2. [repeated] Notice for system operators using the (issuer-subject)
combination for identifying users
=========================================================================
1. Updated IGTF distribution version 1.63 available
=========================================================================
A new distribution of Accredited Authorities by the Interoperable Global
Trust Federation, based on the IGTF Common Source, is now available. It
includes the newly accredited Authorities and retires expiring trust
anchors.
This is version 1.63 release 1 and it is now available for download from
the Repository (and mirrors) at
https://dist.igtf.net/distribution/igtf/current/
Changes from 1.62 to 1.63
-------------------------
(30 March 2015)
* Removed obsoleted and replaced NIIF CA (HU)
* Extended validity period of the KEK CA (JP)
* Removed obsoleted d254cc30/CERN-Root 1d879c6c/CERN-TCA anchors (CERN)
* Updated RPDNC namespaces to permit DigiCert Grid Trust G2 ICAs for
DigiCert Assured ID Root CA (US)
* Updated RPDNC namespaces and signing_policy files for G2 series
DigiCert Grid CAs pending ICA reissuance for reverse RDN issue (US)
* Nomalised cond_subject syntax for multiple signing policy files
cilogon-basic cilogon-silver InCommon-IGTF-Server-CA NCSA-slcs-2013
NCSA-tfca-2013 Comodo-RSA-CA
Next Release
------------
Releases are usually done on the last Monday of the month, only when
the trust anchor distribution has been updated substantially. The
currently-estimated next release date of the distribution is at the
end of April 2015.
=========================================================================
2. Notice for system operators using the (issuer-subject) combination
for identifying users
=========================================================================
The IGTF coordinates a trust fabric that provides unique non-reassigned
identifiers to end-entities (users). This means that, with the scope of
the IGTF authorities, you can use the subject name as a key to e.g.
community membership databases, and to assign data ownership and access
rights.
Several updates to this trust anchor distribution incorporate changes to
the name of the issuing authority, but the name of the end-entities and
the users remains exactly the same. This usually permits users to use
those new issuing services without loosing (data) ownership or community
memberships.
However, the IGTF is aware that some systems, in particularly VOMS and
VOMS-Admin, were traditionally deployed such that also the issuer was used
to identify the users. To make the changes in this and future releases
transparent, all operators of VOMS and VOMS-Admin services are requested to
enable the subject-only name resolution mechanisms in VOMS and VOMS Admin:
- on the VOMS core Attribute Authority service, configure the "-skipcacheck"
flag on start-up. In YAIM this is done by setting "VOMS_SKIP_CA_CHECK"
to true. See https://wiki.italiangrid.it/twiki/bin/view/VOMS/VOMSYAIMGuide
- update VOMS-Admin to version >= 3.3.2, and set "voms.skip_ca_check=True"
in the service properties. For more info, read the release notes at
http://italiangrid.github.io/voms/release-notes/voms-admin-server/3.3.2/
For other products, please refer to the documentation provided by your
supplier. Products such as Apache httpd itself and most web-based products
(MediaWiki, TWiki, etc) use subject-name matching only and are thius
fully compatible. No changes are needed for these and like products.
=========================================================================
REPEATED NOTICES
=========================================================================
Use in coordinated-deployment infrastructures
---------------------------------------------
If you are part of a coordinated-deployment infrastructure (e.g. a national
or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may
want to await their announcement before installing the release. They could
include localised adaptations. For reference we include the links below:
PRACE-RI http://winnetou.sara.nl/prace/certs/
EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release
wLCG https://lcg-ca.web.cern.ch
Open Science Grid https://software.grid.iu.edu/cadist/
Supplementary download locations
--------------------------------
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/
and by the EUGridPMA at
https://dist.eugridpma.info/distribution/igtf/
Where possible validate trust anchors with the GEANT TACAR Repository
https://www.tacar.org/
About this news letter
----------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe, refer
to the EUGridPMA web site at https://www.eugridpma.org/
+-----------------------------------------------------------------------+
| For information on the IGTF Distribution, how to use it and what is |
| contains, please read the information at |
| https://dist.igtf.net/distribution/igtf/README.txt |
| |
| This file contains important information for new users and should be |
| read before installing this Distribution. |
+-----------------------------------------------------------------------+
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the EUGridPMA PMA at
<info(a)eugridpma.org> or your Regional Policy Management Authority. See
the IGTF web site (www.igtf.net) for further information.
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
