eugridpma-announce

eugridpma-announce@nikhef.nl

160 discussions

Updated IGTF distribution version 1.32
by David Groep 26 Oct '09

26 Oct '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.32 available ========================================================================= 1. Updated IGTF distribution version 1.32 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.32, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.30 to 1.32 - ------------------------- (26 October 2009) * Updated country TLD in URLs and email for AEGIS CA (RS) * Updated contact information for CALC CA (LV) * Extended life time and updated profile or TR-Grid CA cert and CRL URL (TR) * Updated and added references to CP and CPS documents for the following authorities: HellasGrid (GR), ROSA (RO), DutchGrid (NL), IRAN-GRID (IR), and BYGCA (BY) * Withdrawn obsolete CAs SWITCH-Personal-2007, SwissSign-Root, SWITCH, SwissSign-Bronze, SwissSign-Silver, SWITCH-Server-2007 (CH) * Withdrawn expired and discontinued CA RMKI (HU) * Added persistently-named links to pre-installed accredited bundles * Added selected UNaccredited CAs to the "worthless" area If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release - ------------ The next release of the distribution is expected in January 2009. ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. - -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL ** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFK5gYgcnpzXG8phBgRAlNyAKDa7jeowlLgNi06xa3H3xkN8yoqsACgm3C+ 5GfIhbAS8j4qcp2EirrvmRk= =CR1v -----END PGP SIGNATURE-----

1 0

Updated IGTF distribution version 1.30
by David Groep 02 Jun '09

02 Jun '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.30 available ========================================================================= 1. Updated IGTF distribution version 1.30 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.30, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.29 to 1.30 ------------------------- (2 June 2009) * Updated contact meta-data for BYGCA, hash 709bed08 (BY) * Updated URLs for DFN Grid PKI public web pages (DE) * Added accredited NCSA GridShib SLCS CA (US) * Added accredited DFN SLCS CA (DE) * Added accredited TACC MICS CA (US) * Added accredited SWITCH (QuoVadis anchored) CAs (CH) * Added accredited FNAL-SLCS CA (US) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected on June 2nd, 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F308418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.29
by David Groep 05 May '09

05 May '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.29 available ========================================================================= 1. Updated IGTF distribution version 1.29 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.29, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.28 to 1.29 ------------------------- (4 May 2009) * Restored NGO-Netrust CA (SG) * Updated AIST Grid (CRL) URL metadata (JP) * Added accredited MD-Grid CA with hash 9ff26ea4 (MD) * Added accredited HKU Grid CA with hash 4798da47 (HK) * Updated signing policy file of APAC Grid CA (AU) * Added accredited classic BYGCA (Belarus) with hash 709bed08 (BY) * Updated namespace for the APAC CA (AU, NZ) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected on June 2nd, 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.28
by David Groep 10 Mar '09

10 Mar '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.28 available ========================================================================= 1. Updated IGTF distribution version 1.28 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.28, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.27 to 1.28 ------------------------- (9 March 2009) * Added accredited classic ULAGrid CA (VE) * Added accredited TACC Root and TACC Classic CAs (US) * Updated NERSC CRL URL download location (US) * Updated DOEGrids CRL URL download location (US) * Extended life time of NorduGrid CA (1f0e8352) (DK,SE,NO,FI,IS) * Added SigmaNet CALG CA (LV) * Updated AEGIS CA root certificate to reflect TLD name change (RS) * Added CRL for SWITCH-SLCS issuing CA (304cf809) (CH) Other updates to miscellaneous CAs: * Worthless CA for EGEE "GILDA" testbed added to 'worthless' section (EU) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected in April 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.27 and fetch-crl 2.7.0 available
by David Groep 30 Jan '09

30 Jan '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.27 available 2. Fetch-crl utlity version 2.7.0 released ========================================================================= 1. Updated IGTF distribution version 1.27 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.27, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.26 to 1.27 ------------------------- * Corrected signing namespace for BEGrid2008 CA (BE) * Added NERSC SLCS CA (US) * ASGCCA-2007 changed signature algorithm from MD5 to SHA1 (TW) * Added new CNRS2 hierarchy: CNRS2 -> CNRS2-Projets -> CNRS2-Grid-FR (FR) * Updated IUCC root certificate (IL) * Obsoleted EstonianGrid CA (EE) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected on Monday, 2 March 2009. ========================================================================= 2. Fetch-crl utility version 2.7.0 released ========================================================================= The 'fetch-crl' utility is a utility to ensure that Certificate Revocation Lists (CRLs) are periodically retrieved from the web sites of the respective Certification Authorities, and installed on the local system in a trust anchor directory. It is intended for use with those (grid) systems that follow the OpenSSL method of trust anchor distribution. The fetch-crl utility has been updated with bug fixes and new functionality, as described in the CHANGES file below. The most important change is that this version will NOT REPORT transient download errors unless they persist for more than 24 hours. Previously, this function was enabled by the "-a" option or the CRL_AGING_THRESHOLD, but was set to 0 (zero) by default. The new version of fetch-crl can be obained from the IGTF mirror sites and at https://dist.eugridpma.info/distribution/util/fetch-crl/ where you can retrieve version 2.7.0 as well as older versions. Changes in version EGP 2.7.0 ---------------------------- * Warnings and errors are now counted. If there are errors in the download or verification process for one or more CRLs, the exit status will be 1; if there are errors in the local setup or in the script invocation, the exit status will be 2. * The installed CRLs no longer have the textual representation of the CRL, but only the PEM data blob, thus reducing IO and memory requirements. * the CRL aging threshold is now set by default to 24 hours. The previous default was 0. The CRL aging threshold is set in the config file using CRL_AGING_THRESHOLD=<xx>, or with the "-a" command-line argument. * Default network timeouts reduced to 10 seconds (was 30) and retries to 2 * Added caching and conditional downloading. When CACHEDIR is set, the original downloads are preserved and wget timestamping mode enabled. When the content did not change, only the timestamp on the installed CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based on the name of the crl_url file, otherwise it is taken from the CRL itself. - The CACHEDIR must be exclusively writable by the user running fetch-crl - Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl * Added RESETPATHMODE setting in sysconfig. It defines whether or not to re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL may be done based on the old path. yes=always replace; searchopenssl=search for openssl first and then reset; no=keep original path, whatever that may be (may be empty if called from cron) Default="yes". This replaces the hard-coded path in the tool. * Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards- compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that have a CRL-like name and ought to have CRL content, but currently do not. * Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially addressed. Bug 20062 can be remedied with WGET_OPTS arguments. Addresses OSG ticket 4673. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

No threat to IGTF PKI from OpenSSL DSA/ECDSA issue CVE-2008-5077
by David Groep 08 Jan '09

08 Jan '09

Dear IGTF relying parties, The OpenSSL Security Team released an advisory [1] on January 7th, regarding incorrect checks for malformed signatures when DSA or ECDSA keys are used. The IGTF Risk Assessment Team (RAT) [2] would like to inform you that NONE of the IGTF-accredited certification authorities use such keys to sign any certificate. This means this vulnerability does not constitute any risk to relying parties when they authenticate a server presenting a certificates issued by an IGTF-accredited CA. None of the CAs accredited by the IGTF issue, or have issued in the past, certificates using signature algorithms other than RSA. On behalf of the IGTF/IGTF RAT Sincerely, Jim Basney David Groep Vinod Rebello Willy Weisz [1] http://www.openssl.org/news/secadv_20090107.txt [2] http://tagpma.es.net/wiki/bin/view/IGTF-RAT -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Sea cable severance in Mediterranean affects CRL downloads of several authorities
by David Groep 20 Dec '08

20 Dec '08

Dear Users and Relying Parties of the IGTF and EUGridPMA Following the severance of three (out of four) undersea cables in the Mediterranean basin on December 19th, 2008, around 7.30 CET, your ability to retrieve Certificate Revocation Lists (CRLs) for some of the IGTF accredited authorities may be limited or absent. France Telecom, the company responsible for the maintenance of the cables (Sea Me We3, Sea Me We4, FLAG) is working to repair these cables and restore connectivity as soon as possible, but it may take up to December 31st to fully recover. Please see their press release at: http://www.francetelecom.com/en_EN/press/press_releases/cp081219en.html This affects CAs located in the Middle East (in particular PK-Grid (PK) with hash f5ead794 and IRAN-Grid (IR) with hash ce33db76), as well as MaGrid. Although not apparent from the press release, academic connectivity to Morocco (by MARWAN) is provided through the EUMedConnect hub in Palermo, Sicily, and also suffers from this outage. Connectivity to PK and IR is intermittent, whereas connectivity to MA is completely lost since Dec 19th, 0730 CET. At this moment, we have no better estimates than those made public by France Telecom as to when service will be restored. We apologize for this inconvenience. Best Regards, David Groep. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.26 available
by David Groep 14 Dec '08

14 Dec '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.26 available ========================================================================= 1. Updated IGTF distribution version 1.26 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.26, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.25 to 1.26 ------------------------- (14 December 2008) * Added accredited classic Indian Grid CA (IGCA) (hash da75f6a8) (IN) * Updated IUCC root certificate with extended life time (IL) * Updated BEGrid (web, CRL) and UCSD-PRAGMA (web) URL metadata (BE, AP) * New BEGrid2008 root certificate (transitional) (BE) * Extended life time of the SEE-GRID CA (SEE) * Included CRL for NCSA SLCS CA (US) * Temporally suspended NGO-Netrust CA (SG) * Withdrawn expired old PK-Grid CA (d2a353a5, superseded by f5ead794) (PK) * Experimentally added Texas Advanced Computer Center TACC Root, Classic, and MICS CAs to the experimental area (US) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Note that the location of the igtf-policy-installation-bundle tar-ball has changed. It is now in the root of the distribution area, as it contains not only the accredited but also worthless and experimental CAs. Next Release ------------ The next release of the CA distribution is to be expected at the beginning of February 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.25 available
by David Groep 29 Sep '08

29 Sep '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Updated IGTF distribution version 1.25 available +----------------------------------------------------------------------+ | The IGTF and PMAs request that you update in a timely fashion, as | | this update includes important changes to CRL URL download locations | | that significantly lower bandwidth cost for selected CAs. | +----------------------------------------------------------------------+ ========================================================================= 1. Updated IGTF distribution version 1.25 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.25, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.24 to 1.25 ------------------------- * Added accredited classic NCHC CA (TW) * Updated meta data for AIST GRID CA (JP) * Updated AIST GRID CA (extended life time) based on same key pair (JP) * Updated meta data for APAC Grid CA (AU) * Updated meta data (CRL URL) for NGO-Netrust CA (SG) * updates to CA contact data in info files (EU, multiple) * updated certificates in the experimental or worthless areas (misc) The IGTF and PMAs request that you update in a timely fashion, as this update includes important changes to CRL URL download locations that significantly lower bandwidth cost for selected CAs. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected at the beginning of November 2008. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Important IGTF distribution version 1.24 available superseding 1.23
by David Groep 29 Jul '08

29 Jul '08

Dear CAs, Relying Parties, Users, and all others interested, ************************************************************************ *** IMPORTANT: PLEASE DO NOT UPGRADE TO 1.23 BUT GO DIRECTLY TO 1.24 *** ************************************************************************ In this announcement of the EUGridPMA: 1. Updated IGTF distribution version 1.24 available ========================================================================= 1. Updated IGTF distribution version 1.24 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.24, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ ** Please upgrade to 1.24 from 1.22 when convenient, but upgrade from ** 1.23 to 1.24 as soon as possible, as 1.23 is impacted by important ** operational issue. Changes from 1.23 to 1.24 ------------------------- (29 July 2008) * Withdrawn NCHC (hash 71a89a47) for urgent operational reasons (TW) Changes from 1.22 to 1.23 ------------------------- (28 July 2008) * Updated metadata for CyGrid (CY), SlovakGrid (SK), Grid-FR (FR) and NCSA-SLCS and MICS (US) * Removed old UKeScienceRoot (8175c1cd) and UKeScience (adcbc9ef) that were replaced in 2006 by updated root and issuing CAs (UK) * Updated LIPCA certificate, based on same key pair (PT) * Added accredited classic MREN CA (ME) * Added NGO-Netrust (SG), PRAGMA-UCSD (PRAGMA), and NCHC (TW) The NCHC CA with SHA1 Fingerprint EA:03:50:B9:B4:E3:F2:B4:AB:46:A7:2A:55:E6:0C:F7:6E:64:5C:D9 should NOT be installed at this time! Relying parties are advised to update to this release before June 16th, when the old ASGCC CA will expire. However, this expiration will only result in CRL download warnings and does not impact the security of your trust fabric. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected end of August 2008. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

← Newer
1
...
9
10
11
12
13
14
15
16
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce