Dear Relying Parties, Authorities, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.104 available
============================================================================
1. Updated IGTF distribution version 1.104 available
============================================================================
*** THIS INTERMEDIATE RELEASE ADDRESSES TRANSITIONARY ISSUES
identified in relation to the regrafting of the InCommon IGTF Server CA,
by adding back the about-to-expire AddTrust External CA Root. Adding the
obsoleted AddTrust External CA Root back remediates compatibility issues
seen for older OpenSSL below 1.0.1 and JDK versions.
A new distribution of Accredited Authorities by the Interoperable Global
Trust Federation,a based on the IGTF Common Source, is now available. It
includes the newly accredited Authorities and retires expiring trust
anchors.
This is version 1.104 release 1 and it is now available
for download from the Repository (and mirrors) at
https://dist.igtf.net/distribution/igtf/current/
Changes from 1.103 to 1.104
---------------------------
(29 January 2020)
* Reinstated AddTrust External CA Root in parallel to Comodo RSA CA
to ease transitionary period (US)
Changes from 1.102 to 1.103
---------------------------
(27 January 2020)
* Updated contact addresses for DigiCert (US)
* Regrafted InCommon IGTF Server CA onto self-signed Comodo RSA CA (US)
* Discontinued superfluous AddTrust External CA Root (US)
* Discontinued AustrianGrid CA (AT)
Next Release
------------
Releases are usually done on the last Monday of the month, only when the
trust anchor distribution has materially been updated. The currently-
estimated next release of the distribution will be on February 24, 2020.
=========================================================================
REPEATED NOTICES
=========================================================================
Use in coordinated-deployment infrastructures
---------------------------------------------
If you are part of a coordinated-deployment infrastructure (e.g. a national
or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may
want to await their announcement before installing the release. They could
include localised adaptations. For reference we include the links below:
PRACE-RI https://winnetou.surfsara.nl/prace/certs/
EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release
wLCG https://lcg-ca.web.cern.ch
Open Science Grid https://repo.opensciencegrid.org/cadist/
Not all IGTF releases are necessarily accompanied by infrastructure-specific
releases. If changes in the IGTF distribution do not materially impact the
distribution of the relying party, no associated release may be done, nor is
there a reason to update such a distribution.
Supplementary download locations
--------------------------------
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/
and by the EUGridPMA at
https://dist.eugridpma.info/distribution/igtf/
Where possible validate trust anchors with the GEANT TACAR Repository
https://www.tacar.org/
About this news letter
----------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe, refer
to the EUGridPMA web site at https://www.eugridpma.org/
+-----------------------------------------------------------------------+
| For information on the IGTF Distribution, how to use it and what is |
| contains, please read the information at |
| https://dist.igtf.net/distribution/igtf/README.txt |
| |
| This file contains important information for new users and should be |
| read before installing this Distribution. |
+-----------------------------------------------------------------------+
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the EUGridPMA PMA at
<info(a)eugridpma.org> or your Regional Policy Management Authority. See
the IGTF web site (www.igtf.net) for further information.
--
David Groep
** Nikhef, Dutch National Institute for Subatomic Physics, PDP programme **
** Visiting address: Science Park 105 room H1.50, NL 1098 XG Amsterdam NL **
** Phone: +31 20 5922179, keybase.io: dlg, Signal: +31646812179 **
** PGP: 0xD80134C2 308E076A FP: 2facebea12803ba145685a21d80134c2308e076a **
Hi Brian, [adding Jim who did some tests earlier],
On 2020-01-29 19:00, Brian Bockelman wrote:
> First impression is that the new InCommon root CA is a disaster. Reports are pouring in of failures across the grid (storage software, CEs) with failures referencing path validation issues.
>
> It seems that the issue is between clients and servers with different versions of the bundle.
>
> Is reverting an option?
Not quite, since the reason for moving to the new one is that the
old root ("AddTrust External CA Root") actually itself expires in 4 months
time:
[webegp@rijf ~]$ openssl x509 -text -noout -in
/etc/grid-security/certificates/AddTrust-External-CA-Root.pem|head
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Validity
Not Before: May 30 10:48:38 2000 GMT
Not After : May 30 10:48:38 2020 GMT
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
so unless we migrate, there will be global failures anyway starting May 30th.
That is a hard deadline, and Sectigo will not be re-issuing that root. Anyway,
most devices will never update the root anyway - this one was a real
legacy root which was kept around mainly for WinME/WinXP and really old
Android (like <2.3) versions.
See e.g. https://secure.sectigo.com/products/publiclyDisclosedSubCACerts
where it is in the "In 'CRL/OCSP only' mode:" section at the very bottom.
The "COMODO RSA Certification Authority" self-signed version is also a legacy
root, but at least it is valid until 2038 (actually: until 3 hours before it
hits the Y2K38 32-bit time_t issue ...)
If anyone can come up with a better path for the InCommon IGTF Server CA
I'm more than happy to re-issue, but I have not been able to find a
path to a root that will outlive the InCommon Server CA itself. Apart
from that self-signed variant of COMODO RSA Certification Authority.
Jim? Any hints from the InCommon side?
The other non-IGTF InCommon Server CA does not have the issue, since
that entire CA will expire on May 30th! I wonder if there is an
alternative for that one, but that is outside of the IGTF scope and
more a problem for InCommon.
At least the ECC variant thereof (InCommon ECC Server CA) expires in
Dec 2025, and a newer RSA-named variant (InCommon RSA Server CA)
on Sep 18 2024. The latter one is chained to "USERTrust RSA Certification
Authority" - and that root also was extended to last till 2038. But
again that is a legacy root.
I've not yet seen any of the new Sectigo roots in operation - and wonder
which root the GEANT TCS ICAs will chain from.
But for now, maybe taking the pain in one go is better than reverting and
then having to start a painful thing again in March again??
Jim, comments?
Cheers,
DavidG.
>
> Brian
>
> Sent from my iPhone
>
>> On Jan 27, 2020, at 3:21 AM, David Groep <davidg(a)nikhef.nl> wrote:
>>
>> Dear Relying Parties, Authorities, Users, and all others interested,
>>
>> In this announcement of the IGTF:
>>
>> 1. Updated IGTF distribution version 1.103 available
>>
>> ============================================================================
>> 1. Updated IGTF distribution version 1.103 available
>> ============================================================================
>>
>> A new distribution of Accredited Authorities by the Interoperable Global
>> Trust Federation, based on the IGTF Common Source, is now available. It
>> includes the newly accredited Authorities and retires expiring trust
>> anchors.
>>
>> This is version 1.103 release 1 and it is now available
>> for download from the Repository (and mirrors) at
>>
>> https://dist.igtf.net/distribution/igtf/current/
>>
>> Changes from 1.102 to 1.103
>> ---------------------------
>> (27 January 2020)
>>
>> * Updated contact addresses for DigiCert (US)
>> * Regrafted InCommon IGTF Server CA onto self-signed Comodo RSA CA (US)
>> * Discontinued superfluous AddTrust External CA Root (US)
>> * Discontinued AustrianGrid CA (AT)
>>
>>
>> Next Release
>> ------------
>> Releases are usually done on the last Monday of the month, only when the
>> trust anchor distribution has materially been updated. The currently-
>> estimated next release of the distribution will be on February 24, 2020.
>>
>>
>> =========================================================================
>> REPEATED NOTICES
>> =========================================================================
>>
>> Use in coordinated-deployment infrastructures
>> ---------------------------------------------
>> If you are part of a coordinated-deployment infrastructure (e.g. a national
>> or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may
>> want to await their announcement before installing the release. They could
>> include localised adaptations. For reference we include the links below:
>> PRACE-RI https://winnetou.surfsara.nl/prace/certs/
>> EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release
>> wLCG https://lcg-ca.web.cern.ch
>> Open Science Grid https://repo.opensciencegrid.org/cadist/
>> Not all IGTF releases are necessarily accompanied by infrastructure-specific
>> releases. If changes in the IGTF distribution do not materially impact the
>> distribution of the relying party, no associated release may be done, nor is
>> there a reason to update such a distribution.
>>
>> Supplementary download locations
>> --------------------------------
>> The download repository is also mirrored by the APGridPMA at
>> https://www.apgridpma.org/distribution/igtf/
>> and by the EUGridPMA at
>> https://dist.eugridpma.info/distribution/igtf/
>>
>> Where possible validate trust anchors with the GEANT TACAR Repository
>> https://www.tacar.org/
>>
>> About this news letter
>> ----------------------
>> This newsletter carries IGTF information intended for relying parties.
>> For more information about this newsletter and how to subscribe, refer
>> to the EUGridPMA web site at https://www.eugridpma.org/
>>
>> +-----------------------------------------------------------------------+
>> | For information on the IGTF Distribution, how to use it and what is |
>> | contains, please read the information at |
>> | https://dist.igtf.net/distribution/igtf/README.txt |
>> | |
>> | This file contains important information for new users and should be |
>> | read before installing this Distribution. |
>> +-----------------------------------------------------------------------+
>>
>> If you have suggestions or improvements for the distribution format,
>> to have it better suit your needs, please contact the EUGridPMA PMA at
>> <info(a)eugridpma.org> or your Regional Policy Management Authority. See
>> the IGTF web site (www.igtf.net) for further information.
>>
>> --
>> David Groep
>>
>> ** Nikhef, Dutch National Institute for Subatomic Physics, PDP programme **
>> ** Visiting address: Science Park 105 room H1.50, NL 1098 XG Amsterdam NL **
>> ** Phone: +31 20 5922179, keybase.io: dlg, Signal: +31646812179 **
>> ** PGP: 0xD80134C2 308E076A FP: 2facebea12803ba145685a21d80134c2308e076a **
>>
>> --
>> To unsubscribe from this group and stop receiving emails from it, send an email to tagpma-general+unsubscribe(a)tagpma.org.
>
--
David Groep
** Nikhef, Dutch National Institute for Subatomic Physics, PDP programme **
** Visiting address: Science Park 105 room H1.50, NL 1098 XG Amsterdam NL **
** Phone: +31 20 5922179, keybase.io: dlg, Signal: +31646812179 **
** PGP: 0xD80134C2 308E076A FP: 2facebea12803ba145685a21d80134c2308e076a **
Dear Relying Parties, Authorities, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.103 available
============================================================================
1. Updated IGTF distribution version 1.103 available
============================================================================
A new distribution of Accredited Authorities by the Interoperable Global
Trust Federation, based on the IGTF Common Source, is now available. It
includes the newly accredited Authorities and retires expiring trust
anchors.
This is version 1.103 release 1 and it is now available
for download from the Repository (and mirrors) at
https://dist.igtf.net/distribution/igtf/current/
Changes from 1.102 to 1.103
---------------------------
(27 January 2020)
* Updated contact addresses for DigiCert (US)
* Regrafted InCommon IGTF Server CA onto self-signed Comodo RSA CA (US)
* Discontinued superfluous AddTrust External CA Root (US)
* Discontinued AustrianGrid CA (AT)
Next Release
------------
Releases are usually done on the last Monday of the month, only when the
trust anchor distribution has materially been updated. The currently-
estimated next release of the distribution will be on February 24, 2020.
=========================================================================
REPEATED NOTICES
=========================================================================
Use in coordinated-deployment infrastructures
---------------------------------------------
If you are part of a coordinated-deployment infrastructure (e.g. a national
or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may
want to await their announcement before installing the release. They could
include localised adaptations. For reference we include the links below:
PRACE-RI https://winnetou.surfsara.nl/prace/certs/
EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release
wLCG https://lcg-ca.web.cern.ch
Open Science Grid https://repo.opensciencegrid.org/cadist/
Not all IGTF releases are necessarily accompanied by infrastructure-specific
releases. If changes in the IGTF distribution do not materially impact the
distribution of the relying party, no associated release may be done, nor is
there a reason to update such a distribution.
Supplementary download locations
--------------------------------
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/
and by the EUGridPMA at
https://dist.eugridpma.info/distribution/igtf/
Where possible validate trust anchors with the GEANT TACAR Repository
https://www.tacar.org/
About this news letter
----------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe, refer
to the EUGridPMA web site at https://www.eugridpma.org/
+-----------------------------------------------------------------------+
| For information on the IGTF Distribution, how to use it and what is |
| contains, please read the information at |
| https://dist.igtf.net/distribution/igtf/README.txt |
| |
| This file contains important information for new users and should be |
| read before installing this Distribution. |
+-----------------------------------------------------------------------+
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the EUGridPMA PMA at
<info(a)eugridpma.org> or your Regional Policy Management Authority. See
the IGTF web site (www.igtf.net) for further information.
--
David Groep
** Nikhef, Dutch National Institute for Subatomic Physics, PDP programme **
** Visiting address: Science Park 105 room H1.50, NL 1098 XG Amsterdam NL **
** Phone: +31 20 5922179, keybase.io: dlg, Signal: +31646812179 **
** PGP: 0xD80134C2 308E076A FP: 2facebea12803ba145685a21d80134c2308e076a **