eugridpma-announce

eugridpma-announce@nikhef.nl

162 discussions

Updated IGTF distribution version 1.34 (fixes to 1.33)
by David Groep 18 Feb '10

18 Feb '10

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.34 available 2. Distribution format changes in the wake of OpenSSL version 1 (repeated annoucement) ========================================================================= 1. Updated IGTF distribution version 1.34 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.34, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/1.34-new/ (new format) Changes from 1.32 to 1.33 ------------------------- (18 February 2010) * Corrected malformed EACL syntax in signing_policy for CESNET-Root-CA (CZ) Since this is a quick-fix for the 1.33 distribution, you are reminded of these changes in 1.33 in case one migrates from a previous version 1.33: * Added accredited MICS TCS eScience Personal CA and hierarchy (EU) * Updated AustrianGrid root cert with extended life time (AT) * Updated PolishGrid CA with new contact and extended root CA life time (PL) * Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR) * Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR) * Corrected namespaces file for BEGrid2008 (BE) * Added comment line to REUNA CA signing_policy file (CL) * Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ) * Updated (re-rooted) selected UNaccredited CAs in the "worthless" area If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected in April 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.34 distribution comes in two (2) formats. The primary format for this 1.34 release is the 'current' one, which has no changes. A 'new' format, available for your evaluation as of this release at: https://dist.eugridpma.info/distribution/igtf/1.34-new/ supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In a subsequent release (1.35 or 1.36), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.36 (Autumn 2010) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.

1 0

Updated IGTF distribution version 1.33 and new distribution format
by David Groep 15 Feb '10

15 Feb '10

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.33 available 2. Distribution format changes in the wake of OpenSSL version 1 - IMPORTANT NOTICE - BACKGROUND - COLLATERAL CHANGES ========================================================================= 1. Updated IGTF distribution version 1.33 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.33, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/1.33-new/ (new format) Changes from 1.32 to 1.33 ------------------------- (15 February 2010) * Added accredited MICS TCS eScience Personal CA and hierarchy (EU) * Updated AustrianGrid root cert with extended life time (AT) * Updated PolishGrid CA with new contact and extended root CA life time (PL) * Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR) * Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR) * Corrected namespaces file for BEGrid2008 (BE) * Added comment line to REUNA CA signing_policy file (CL) * Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ) * Updated (re-rooted) selected UNaccredited CAs in the "worthless" area If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected in April 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.33 distribution comes in two (2) formats. The primary format for this 1.33 release is the 'current' one, which has no changes. A 'new' format, available for your evaluation as of this release at: https://dist.eugridpma.info/distribution/igtf/1.33-new/ supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In a subsequent release (1.34 or 1.35), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.35 (Autumn 2010) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. BACKGROUND ---------- It has come to the attention of the IGTF that the developers of the OpenSSL software (www.openssl.org) are about to release a new version of their software (version 1.0) which is fundamentally incompatible with both any pre-existing versions of their own software, as well as bring incompatibility with many other software products that use a directory-based trust anchor store (such as Apache's mod_ssl, the gLite Trust Manager, gridSite or VOMS). A directory-based trust anchor store ("/etc/grid-security/certificates/") contains a set of files, each of which holds a single, PEM encoded, certificate that you trust. These files are named "XXXXXXXX.i", where the X'es are hexadecimal digits and "i" a number, usually "0". For example: /etc/grid-security/certificates/16da7552.0 /etc/grid-security/certificates/16da7552.crl_url /etc/grid-security/certificates/16da7552.info /etc/grid-security/certificates/16da7552.namespaces /etc/grid-security/certificates/16da7552.r0 /etc/grid-security/certificates/16da7552.signing_policy In this case, the "16da7552" is a hash ('digest') of the subject name of the CA in question, namely "C=NL, O=NIKHEF, CN=NIKHEF medium-security certification auth". Files with related meta-data, such as the URL where a CRL can be obtained, or the allowed name spaces in to which this CA is accredited in the IGTF, are named after the hash of the CA subject name. Although, on first glance, the trust anchor directory in an OpenSSL v1.0 installation looks the same, the mechanism to compute these hashes has changed. So, what appears to be a 'normal' trust anchor directory no longer works when OpenSSL1 is used. However, all other current software (Apache mod_ssl, the gLite Trust Manager, etc.) will continue to work without problems. Not having the 'new' hashes installed will not lead to security risks, but it will prevent successful authentication and thus lead to unavailability. The IGTF regrets this unwarranted change made by the OpenSSL developers, but cannot shield its relying parties and end-users from this change. Since the IGTF distributes the trust anchors of accredited authorities also in a way that used to work with OpenSSL, we feel that it is in the community's interest to keep supporting OpenSSL also for version 1, whilst ensuring that other softwares continue to work as before. Since we anticipate that relying parties will at some point install OpenSSL version 1, and will do so whilst at the same time running other software on the same system or using the same trust anchor directory (e.g. over a distributed or shared file system), we have designed a new distribution format that will support both the conventional hash method as well as the new OpenSSL1 mode. The new format is based on the following structure: - In the installation bundles, tar-balls and RPMs, all CAs and files are named after their alias from the info file - Symbolic links are used to generate the structure for BOTH the current hash mode (OpenSSL 0.x and all other software) AS WELL AS for OpenSSL 1.0 This means that it will no longer install on FAT32 file systems, or on any file system that does not support symbolic links - Since the "fetch-crl" utility, distributed by the IGTF to facilitate periodic downloads of CRLs for each CA, will use the file name of the crl_url file, and the local version of OpenSSL to generate the hash itself, it can handle symbolic names for the crl-url file. The name of the CRL downloaded will be derived from the version of OpenSSL used. To generate CRLs for both hashes, run this utility twice, but using a different version of OpenSSL; or make symbolic links for the 'other' hash 'XXXXXXXX.r0' file. You can select the version of OpenSSL used by the fetch-crl utility by setting the "FETCH_CRL_OPENSSL" variable in the environment or in the fetch-crl configuration file (/etc/fetch-crl.conf or /etc/sysconfig/fetch-crl) - The installation bundle (used for "./configure && make && make install") will create both symlinks in its installation directory (specified with --prefix=) - The pre-installed bundles for each of the accreditation classes have both hashes installed, using symbolic links. These pre-installation bundles can thus be used only on file systems that support symbolic links, or where the un-packing utility transparently translated symbolic links to hard copies When deployed, a new-format IGTF trust anchor distribution will look like: .../16da7552.0 -> NIKHEF.pem .../16da7552.info -> NIKHEF.info .../16da7552.namespaces -> NIKHEF.namespaces .../16da7552.signing_policy -> NIKHEF.signing_policy .../dfb080e4.0 -> NIKHEF.pem .../dfb080e4.info -> NIKHEF.info .../dfb080e4.namespaces -> NIKHEF.namespaces .../dfb080e4.signing_policy -> NIKHEF.signing_policy .../NIKHEF.crl_url .../NIKHEF.info .../NIKHEF.namespaces .../NIKHEF.pem .../NIKHEF.signing_policy Please note that - some software may now import the same CA /twice/, potentially doubling memory usage. Although this is not expected to cause problems, you are invited to verify that this new format accommodates your requirements. - the crl_url file is not duplicated, since fetch-crl will find this file based on its extension (not name), and the CRL file is written with the hash computed with the OpenSSL version used by fetch-crl at run time. COLLATERAL CHANGES ------------------ At the same time, the IGTF for the 'new' distribution will update its build architecture and incorporate the following changes: - the RPMs built by the IGTF, although based on the same SPEC files, will be constructed using RPM version 4.4.2.3 (this version is shipped, for example, with CentOS 5, RedHat Enterprise Linux 5 and like systems) - the Java Key Stores are built now with Java 6 (jdk-1.6.0), and from now on will also contain certificates with key lengths larger than 2048 bits ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.

1 0

Updated IGTF distribution version 1.32
by David Groep 26 Oct '09

26 Oct '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.32 available ========================================================================= 1. Updated IGTF distribution version 1.32 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.32, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.30 to 1.32 - ------------------------- (26 October 2009) * Updated country TLD in URLs and email for AEGIS CA (RS) * Updated contact information for CALC CA (LV) * Extended life time and updated profile or TR-Grid CA cert and CRL URL (TR) * Updated and added references to CP and CPS documents for the following authorities: HellasGrid (GR), ROSA (RO), DutchGrid (NL), IRAN-GRID (IR), and BYGCA (BY) * Withdrawn obsolete CAs SWITCH-Personal-2007, SwissSign-Root, SWITCH, SwissSign-Bronze, SwissSign-Silver, SWITCH-Server-2007 (CH) * Withdrawn expired and discontinued CA RMKI (HU) * Added persistently-named links to pre-installed accredited bundles * Added selected UNaccredited CAs to the "worthless" area If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release - ------------ The next release of the distribution is expected in January 2009. ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. - -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL ** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFK5gYgcnpzXG8phBgRAlNyAKDa7jeowlLgNi06xa3H3xkN8yoqsACgm3C+ 5GfIhbAS8j4qcp2EirrvmRk= =CR1v -----END PGP SIGNATURE-----

1 0

Updated IGTF distribution version 1.30
by David Groep 02 Jun '09

02 Jun '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.30 available ========================================================================= 1. Updated IGTF distribution version 1.30 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.30, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.29 to 1.30 ------------------------- (2 June 2009) * Updated contact meta-data for BYGCA, hash 709bed08 (BY) * Updated URLs for DFN Grid PKI public web pages (DE) * Added accredited NCSA GridShib SLCS CA (US) * Added accredited DFN SLCS CA (DE) * Added accredited TACC MICS CA (US) * Added accredited SWITCH (QuoVadis anchored) CAs (CH) * Added accredited FNAL-SLCS CA (US) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected on June 2nd, 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F308418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.29
by David Groep 05 May '09

05 May '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.29 available ========================================================================= 1. Updated IGTF distribution version 1.29 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.29, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.28 to 1.29 ------------------------- (4 May 2009) * Restored NGO-Netrust CA (SG) * Updated AIST Grid (CRL) URL metadata (JP) * Added accredited MD-Grid CA with hash 9ff26ea4 (MD) * Added accredited HKU Grid CA with hash 4798da47 (HK) * Updated signing policy file of APAC Grid CA (AU) * Added accredited classic BYGCA (Belarus) with hash 709bed08 (BY) * Updated namespace for the APAC CA (AU, NZ) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected on June 2nd, 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.28
by David Groep 10 Mar '09

10 Mar '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.28 available ========================================================================= 1. Updated IGTF distribution version 1.28 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.28, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.27 to 1.28 ------------------------- (9 March 2009) * Added accredited classic ULAGrid CA (VE) * Added accredited TACC Root and TACC Classic CAs (US) * Updated NERSC CRL URL download location (US) * Updated DOEGrids CRL URL download location (US) * Extended life time of NorduGrid CA (1f0e8352) (DK,SE,NO,FI,IS) * Added SigmaNet CALG CA (LV) * Updated AEGIS CA root certificate to reflect TLD name change (RS) * Added CRL for SWITCH-SLCS issuing CA (304cf809) (CH) Other updates to miscellaneous CAs: * Worthless CA for EGEE "GILDA" testbed added to 'worthless' section (EU) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected in April 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.27 and fetch-crl 2.7.0 available
by David Groep 30 Jan '09

30 Jan '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.27 available 2. Fetch-crl utlity version 2.7.0 released ========================================================================= 1. Updated IGTF distribution version 1.27 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.27, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.26 to 1.27 ------------------------- * Corrected signing namespace for BEGrid2008 CA (BE) * Added NERSC SLCS CA (US) * ASGCCA-2007 changed signature algorithm from MD5 to SHA1 (TW) * Added new CNRS2 hierarchy: CNRS2 -> CNRS2-Projets -> CNRS2-Grid-FR (FR) * Updated IUCC root certificate (IL) * Obsoleted EstonianGrid CA (EE) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected on Monday, 2 March 2009. ========================================================================= 2. Fetch-crl utility version 2.7.0 released ========================================================================= The 'fetch-crl' utility is a utility to ensure that Certificate Revocation Lists (CRLs) are periodically retrieved from the web sites of the respective Certification Authorities, and installed on the local system in a trust anchor directory. It is intended for use with those (grid) systems that follow the OpenSSL method of trust anchor distribution. The fetch-crl utility has been updated with bug fixes and new functionality, as described in the CHANGES file below. The most important change is that this version will NOT REPORT transient download errors unless they persist for more than 24 hours. Previously, this function was enabled by the "-a" option or the CRL_AGING_THRESHOLD, but was set to 0 (zero) by default. The new version of fetch-crl can be obained from the IGTF mirror sites and at https://dist.eugridpma.info/distribution/util/fetch-crl/ where you can retrieve version 2.7.0 as well as older versions. Changes in version EGP 2.7.0 ---------------------------- * Warnings and errors are now counted. If there are errors in the download or verification process for one or more CRLs, the exit status will be 1; if there are errors in the local setup or in the script invocation, the exit status will be 2. * The installed CRLs no longer have the textual representation of the CRL, but only the PEM data blob, thus reducing IO and memory requirements. * the CRL aging threshold is now set by default to 24 hours. The previous default was 0. The CRL aging threshold is set in the config file using CRL_AGING_THRESHOLD=<xx>, or with the "-a" command-line argument. * Default network timeouts reduced to 10 seconds (was 30) and retries to 2 * Added caching and conditional downloading. When CACHEDIR is set, the original downloads are preserved and wget timestamping mode enabled. When the content did not change, only the timestamp on the installed CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based on the name of the crl_url file, otherwise it is taken from the CRL itself. - The CACHEDIR must be exclusively writable by the user running fetch-crl - Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl * Added RESETPATHMODE setting in sysconfig. It defines whether or not to re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL may be done based on the old path. yes=always replace; searchopenssl=search for openssl first and then reset; no=keep original path, whatever that may be (may be empty if called from cron) Default="yes". This replaces the hard-coded path in the tool. * Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards- compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that have a CRL-like name and ought to have CRL content, but currently do not. * Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially addressed. Bug 20062 can be remedied with WGET_OPTS arguments. Addresses OSG ticket 4673. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

No threat to IGTF PKI from OpenSSL DSA/ECDSA issue CVE-2008-5077
by David Groep 08 Jan '09

08 Jan '09

Dear IGTF relying parties, The OpenSSL Security Team released an advisory [1] on January 7th, regarding incorrect checks for malformed signatures when DSA or ECDSA keys are used. The IGTF Risk Assessment Team (RAT) [2] would like to inform you that NONE of the IGTF-accredited certification authorities use such keys to sign any certificate. This means this vulnerability does not constitute any risk to relying parties when they authenticate a server presenting a certificates issued by an IGTF-accredited CA. None of the CAs accredited by the IGTF issue, or have issued in the past, certificates using signature algorithms other than RSA. On behalf of the IGTF/IGTF RAT Sincerely, Jim Basney David Groep Vinod Rebello Willy Weisz [1] http://www.openssl.org/news/secadv_20090107.txt [2] http://tagpma.es.net/wiki/bin/view/IGTF-RAT -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Sea cable severance in Mediterranean affects CRL downloads of several authorities
by David Groep 20 Dec '08

20 Dec '08

Dear Users and Relying Parties of the IGTF and EUGridPMA Following the severance of three (out of four) undersea cables in the Mediterranean basin on December 19th, 2008, around 7.30 CET, your ability to retrieve Certificate Revocation Lists (CRLs) for some of the IGTF accredited authorities may be limited or absent. France Telecom, the company responsible for the maintenance of the cables (Sea Me We3, Sea Me We4, FLAG) is working to repair these cables and restore connectivity as soon as possible, but it may take up to December 31st to fully recover. Please see their press release at: http://www.francetelecom.com/en_EN/press/press_releases/cp081219en.html This affects CAs located in the Middle East (in particular PK-Grid (PK) with hash f5ead794 and IRAN-Grid (IR) with hash ce33db76), as well as MaGrid. Although not apparent from the press release, academic connectivity to Morocco (by MARWAN) is provided through the EUMedConnect hub in Palermo, Sicily, and also suffers from this outage. Connectivity to PK and IR is intermittent, whereas connectivity to MA is completely lost since Dec 19th, 0730 CET. At this moment, we have no better estimates than those made public by France Telecom as to when service will be restored. We apologize for this inconvenience. Best Regards, David Groep. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.26 available
by David Groep 14 Dec '08

14 Dec '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.26 available ========================================================================= 1. Updated IGTF distribution version 1.26 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.26, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.25 to 1.26 ------------------------- (14 December 2008) * Added accredited classic Indian Grid CA (IGCA) (hash da75f6a8) (IN) * Updated IUCC root certificate with extended life time (IL) * Updated BEGrid (web, CRL) and UCSD-PRAGMA (web) URL metadata (BE, AP) * New BEGrid2008 root certificate (transitional) (BE) * Extended life time of the SEE-GRID CA (SEE) * Included CRL for NCSA SLCS CA (US) * Temporally suspended NGO-Netrust CA (SG) * Withdrawn expired old PK-Grid CA (d2a353a5, superseded by f5ead794) (PK) * Experimentally added Texas Advanced Computer Center TACC Root, Classic, and MICS CAs to the experimental area (US) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Note that the location of the igtf-policy-installation-bundle tar-ball has changed. It is now in the root of the distribution area, as it contains not only the accredited but also worthless and experimental CAs. Next Release ------------ The next release of the CA distribution is to be expected at the beginning of February 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

← Newer
1
...
9
10
11
12
13
14
15
16
17
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce