Dear CAs, Relying Parties, Users, and all others interested,
In this announcement:
1. Updated fetch-crl3 (3.0.16) with improved cache expiry control
mitigating issues with too-long cache control expirations sent by
certain content delivery networks when serving CRLs
=========================================================================
1. Updated fetch-crl3 (3.0.16) with improved cache expiry control
=========================================================================
Some content delivery networks (CDNs), including EdgeCast, may send
HTTP cache control headers that cause fetch-crl to retain an copy
of a certificate revocation list (CRL) beyond its nextUpdate time.
If that happens, this CRL will be considered 'expired' and it will
disable the affected CA.
However, since the HTTP cache headers had previously indicated that
the CRL content was still 'current' as retrieved from the CDN, fetch-crl
will NOT update it. Thus, the affected CA or CAs will be 'disabled'
for the period between nextUpdate and cache expiry.
This currently affects the TERENA "3rd Generation" Trusted Certificate
Service, which is served by DigiCert using the EdgeCast CDN.
Only the EdgeCast CDN (crl3.digicert.com) is affected; the CacheFly CDN
(crl4.digicert.com) does not suffer from this issue.
Fetch-crl 3.0.16 implements additional checks that will force cache
expiration to happen before nextUpdate (by default, nextUpdate must
be at least 7 hours past the cache expiration). It will also limit
the maximum time that fetch-crl will consider a CRL 'current'
(by default maximum 96 hrs), regardless of cache-control headers.
For documentation see http://www.nikhef.nl/grid/fetchcrl3/, and you can
download the new version in RRM and source form at
https://dist.eugridpma.info/distribution/util/fetch-crl/
This new version will also be available through Fedora EPEL and Debian is
due time.
=========================================================================
About this news letter
----------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe, refer
to the EUGridPMA web site at https://www.eugridpma.org/
+-----------------------------------------------------------------------+
| For information on the IGTF Distribution, how to use it and what is |
| contains, please read the information at |
| https://dist.eugridpma.info/distribution/igtf/README.txt |
| |
| This file contains important information for new users and should be |
| read before installing this Distribution. |
+-----------------------------------------------------------------------+
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the EUGridPMA PMA at
<info(a)eugridpma.org> or your Regional Policy Management Authority. See
the IGTF web site (www.igtf.net) for further information.
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
