eugridpma-announce

eugridpma-announce@nikhef.nl

166 discussions

Updated IGTF distribution 1.38 and format change
by David Groep 07 Feb '11

07 Feb '11

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.38 available 2. Distribution format changes in the wake of OpenSSL version 1 3. New version 3 of the CRL retrieval tool fetch-crl available ========================================================================= 1. Updated IGTF distribution version 1.38 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.38, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (OpenSSL v1 compatible format) *** note that the default format changed in this release *** Changes from 1.37 to 1.38 ------------------------- (7 February 2011) * Updated meta-data info file for SRCE (HR) * Updated KEK CA root (617ff41b) with extended life time (JP) * Updated contact email address for ArmeSFo (AM) * Extended allowed namespace and new URL for SEE-GRID CA as EGI catch-all (EU) * Extended allowed namespace for NAREGI CA (JP) * Added accredited CILogin MICS CA (US) * Extended life time for NCSA CACL (MICS) CA (US) * Extended life time for NCSA MyProxy (SLCS) CA (US) * Extended life time for NorduGrid CA (DK,NO,SE,FI,IS) * Corrected namespaces file for TCS eScience Personal (EU) This 1.38 release has been built with RPM version 4.4.2.3 and Java 1.6. If you part of a coordinated-deployment project (such as a national grid infrastructure, EGI, OSG, PRACE, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ Next Release ------------ The next release of the distribution is expected in April 2011. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This distribution comes in two (2) formats. The primary format for this release supports OpenSSL v1 and is designed to be backwards compatible with the old distribution format. If you experience issues with the new format, the old non-OpenSSL-v1 version is still available at https://dist.eugridpma.org/distribution/igtf/current-old/ but you should upgrade as soon as practically possible. This 1.38 will be the LAST VERSION that has such a compatibility package. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= 3. New version 3 of the CRL retrieval tool available ========================================================================= Downloading CRLs is a critical component in keeping the integrity and security of the trust fabric -- and CRLs should be updated frequently (preferably several times per day). To facilitate automated retrieval of certificate revocation lists (CRLs) by relying parties, the 'fetch-crl' utility is distributed by the IGTF. This tool has been redesigned completely to incorporate new features: - support for OpenSSL version 1 and dual-hash trust anchor naming - parallel downloads to speed up retrieval (from minutes to seconds) - built-in caching support to reduce bandwidth consumption - site- and infrastructure-level fail-over and override mechanisms Relying parties are encouraged to upgrade to this new version 3, avialable from the EUGridPMA web site and from popular Linux distribution (add-on) repositories such as Fedora, Debian and EPEL. Fetch-crl3 is independent of any software suite and can be used in conjunction with all popular OpenSSL, BouncyCastle and NSS based products. https://dist.eugridpma.info/distribution/util/fetch-crl3/ The documention and full list of features can be found at http://www.nikhef.nl/grid/fetchcrl3/ Fetch-crl3 is made available under the Apache License version 2.0. The 2.8 series fetch-crl will remain supported until Q2 2012 but new features will no longer be added. Support for the 2.7 series will end on March 31st, 2011. ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.37 and format change announcement
by David Groep 28 Sep '10

28 Sep '10

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.37 available 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= 1. Updated IGTF distribution version 1.37 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.37, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/current-new/ (new format) *** note that the default format will change in the next release 1.38 *** Changes from 1.36 to 1.37 ------------------------- (27 September 2010) * Added accredited classic TERENA eScience SSL CA and hierarchy (EU) * Discontinued NGO-Netrust CA (SG) * The OpenSSL1 compliant format no longer adds symlinks for info metadata (such references would result in multiple downloads of the same CRL data when used with FetchCRL3) * Corrected typo errors in namespaces file for AAACertificateServices (EU) * Added CILogon CAs in experimental area (US) This 1.38 release has been built with RPM version 4.4.2.3 and Java 1.6. If you part of a coordinated-deployment project (such as a national grid initiative, EGI, OSG, PRACE, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ Next Release ------------ The next release of the distribution is expected in November 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.37 distribution comes in two (2) formats. The primary format for this 1.37 release is the 'current' one, which has no material changes. The upcoming format is also available at: https://dist.eugridpma.info/distribution/igtf/current-new/ and supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In the next release (1.38), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.39 (Early 2011) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.

1 0

Updated IGTF distribution version 1.36
by David Groep 25 Jun '10

25 Jun '10

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.36 available 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= 1. Updated IGTF distribution version 1.36 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.36, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/1.36-new/ (new format) Changes from 1.35 to 1.36 ------------------------- (25 June 2010) * Updated root certificate for PLGrid with corrected SAN extension (PL) If you part of a coordinated-deployment project (such as a national grid initiative, OSG, PRACE, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected in August 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.36 distribution comes in two (2) formats. The primary format for this 1.36 release is the 'current' one, which has no changes. A 'new' format, available for your evaluation as of this release at: https://dist.eugridpma.info/distribution/igtf/1.36-new/ supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In a subsequent release (1.36 or 1.36), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.36 (Autumn 2010) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.35, new version of fetch-crl
by David Groep 11 Jun '10

11 Jun '10

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.35 available 2. Distribution format changes in the wake of OpenSSL version 1 (repeated annoucement) 3. New version of fetch-crl 2.8.5 ========================================================================= 1. Updated IGTF distribution version 1.35 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.35, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/1.35-new/ (new format) Changes from 1.34 to 1.35 ------------------------- (11 Jun 2010) * Updated root certificate for SRCE with new extensions and life time (HR) * Updated root certificate for ROSA with new AKI extension and serial (RO) * Removed obsoleted CAs from experimental area (US) If you part of a coordinated-deployment project (such as a national grid initiative, OSG, PRACE, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected in August 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.35 distribution comes in two (2) formats. The primary format for this 1.35 release is the 'current' one, which has no changes. A 'new' format, available for your evaluation as of this release at: https://dist.eugridpma.info/distribution/igtf/1.35-new/ supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In a subsequent release (1.35 or 1.36), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.36 (Autumn 2010) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= 3. New version of fetch-crl 2.8.5 ========================================================================= The fetch-crl utility has seen some major improvement over the last year, and the new 2.8 series is now fully compliant with common GNU/Linux packaging conventions as used by for example Feroda, Debian and RedHat Enterprise Linux. We would like to thank Steve Traylen (CERN) and Mattias Ellert (Uppsala University) for their efforts in incorporating fetch-crl in these distributions. Some key changes in 2.8: * Configuration file has moved from /etc/sysconfig to /etc/fetch-crl.conf * New init scripts and a cron job entry have been added to allow management of fetch-crl via the chkconfig mechanism, and a chkconfig compliant init script is included (it is not enabled by default, though) as well as these improvements: * installed CRL file are re-checked for validity to catch file system errors and local disk corruption. When possible, it will try to restore a backup copy. Such failures are not subject to aging tolerance. * Improved support for multiple CRL URLs by downloading until a success is achieved, instead of downloading all of them * a "random wait" period can be added to prevent network load spikes. This is recommended in case the job is run from cron. * better compliance with SELinux, where the file context of CRL files is now preserved Remember that the aging tolerance flag, introduced in 2.6, includes a 24 hour grace period to allow for network interruptions. This reflects the suggested grace period of the IGTF. You can explicitly set the aging tolerance for network interruptions using the "-a" command-line argument, or the configuration file setting You can download the latest version of fetch-crl from: https://dist.eugridpma.info/distribution/util/fetch-crl/ from your local IGTF mirrors, and of course from Fedora, EPEL and Debian. FetchCRL3 --------- A complete re-write of fetch-crl (Fetch-crl3) is currently in beta- testing and will add more features as well as scalability and redundancy options. It will also be the first version to support OpenSSL1 and the Mozilla NSS systems. Users interested in participating the beta programme are invited to contact the EUGridPMA at <info(a)eugridpma.org> ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.34 (fixes to 1.33)
by David Groep 18 Feb '10

18 Feb '10

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.34 available 2. Distribution format changes in the wake of OpenSSL version 1 (repeated annoucement) ========================================================================= 1. Updated IGTF distribution version 1.34 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.34, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/1.34-new/ (new format) Changes from 1.32 to 1.33 ------------------------- (18 February 2010) * Corrected malformed EACL syntax in signing_policy for CESNET-Root-CA (CZ) Since this is a quick-fix for the 1.33 distribution, you are reminded of these changes in 1.33 in case one migrates from a previous version 1.33: * Added accredited MICS TCS eScience Personal CA and hierarchy (EU) * Updated AustrianGrid root cert with extended life time (AT) * Updated PolishGrid CA with new contact and extended root CA life time (PL) * Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR) * Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR) * Corrected namespaces file for BEGrid2008 (BE) * Added comment line to REUNA CA signing_policy file (CL) * Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ) * Updated (re-rooted) selected UNaccredited CAs in the "worthless" area If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected in April 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.34 distribution comes in two (2) formats. The primary format for this 1.34 release is the 'current' one, which has no changes. A 'new' format, available for your evaluation as of this release at: https://dist.eugridpma.info/distribution/igtf/1.34-new/ supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In a subsequent release (1.35 or 1.36), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.36 (Autumn 2010) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.

1 0

Updated IGTF distribution version 1.33 and new distribution format
by David Groep 15 Feb '10

15 Feb '10

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.33 available 2. Distribution format changes in the wake of OpenSSL version 1 - IMPORTANT NOTICE - BACKGROUND - COLLATERAL CHANGES ========================================================================= 1. Updated IGTF distribution version 1.33 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.33, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/1.33-new/ (new format) Changes from 1.32 to 1.33 ------------------------- (15 February 2010) * Added accredited MICS TCS eScience Personal CA and hierarchy (EU) * Updated AustrianGrid root cert with extended life time (AT) * Updated PolishGrid CA with new contact and extended root CA life time (PL) * Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR) * Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR) * Corrected namespaces file for BEGrid2008 (BE) * Added comment line to REUNA CA signing_policy file (CL) * Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ) * Updated (re-rooted) selected UNaccredited CAs in the "worthless" area If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected in April 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.33 distribution comes in two (2) formats. The primary format for this 1.33 release is the 'current' one, which has no changes. A 'new' format, available for your evaluation as of this release at: https://dist.eugridpma.info/distribution/igtf/1.33-new/ supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In a subsequent release (1.34 or 1.35), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.35 (Autumn 2010) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. BACKGROUND ---------- It has come to the attention of the IGTF that the developers of the OpenSSL software (www.openssl.org) are about to release a new version of their software (version 1.0) which is fundamentally incompatible with both any pre-existing versions of their own software, as well as bring incompatibility with many other software products that use a directory-based trust anchor store (such as Apache's mod_ssl, the gLite Trust Manager, gridSite or VOMS). A directory-based trust anchor store ("/etc/grid-security/certificates/") contains a set of files, each of which holds a single, PEM encoded, certificate that you trust. These files are named "XXXXXXXX.i", where the X'es are hexadecimal digits and "i" a number, usually "0". For example: /etc/grid-security/certificates/16da7552.0 /etc/grid-security/certificates/16da7552.crl_url /etc/grid-security/certificates/16da7552.info /etc/grid-security/certificates/16da7552.namespaces /etc/grid-security/certificates/16da7552.r0 /etc/grid-security/certificates/16da7552.signing_policy In this case, the "16da7552" is a hash ('digest') of the subject name of the CA in question, namely "C=NL, O=NIKHEF, CN=NIKHEF medium-security certification auth". Files with related meta-data, such as the URL where a CRL can be obtained, or the allowed name spaces in to which this CA is accredited in the IGTF, are named after the hash of the CA subject name. Although, on first glance, the trust anchor directory in an OpenSSL v1.0 installation looks the same, the mechanism to compute these hashes has changed. So, what appears to be a 'normal' trust anchor directory no longer works when OpenSSL1 is used. However, all other current software (Apache mod_ssl, the gLite Trust Manager, etc.) will continue to work without problems. Not having the 'new' hashes installed will not lead to security risks, but it will prevent successful authentication and thus lead to unavailability. The IGTF regrets this unwarranted change made by the OpenSSL developers, but cannot shield its relying parties and end-users from this change. Since the IGTF distributes the trust anchors of accredited authorities also in a way that used to work with OpenSSL, we feel that it is in the community's interest to keep supporting OpenSSL also for version 1, whilst ensuring that other softwares continue to work as before. Since we anticipate that relying parties will at some point install OpenSSL version 1, and will do so whilst at the same time running other software on the same system or using the same trust anchor directory (e.g. over a distributed or shared file system), we have designed a new distribution format that will support both the conventional hash method as well as the new OpenSSL1 mode. The new format is based on the following structure: - In the installation bundles, tar-balls and RPMs, all CAs and files are named after their alias from the info file - Symbolic links are used to generate the structure for BOTH the current hash mode (OpenSSL 0.x and all other software) AS WELL AS for OpenSSL 1.0 This means that it will no longer install on FAT32 file systems, or on any file system that does not support symbolic links - Since the "fetch-crl" utility, distributed by the IGTF to facilitate periodic downloads of CRLs for each CA, will use the file name of the crl_url file, and the local version of OpenSSL to generate the hash itself, it can handle symbolic names for the crl-url file. The name of the CRL downloaded will be derived from the version of OpenSSL used. To generate CRLs for both hashes, run this utility twice, but using a different version of OpenSSL; or make symbolic links for the 'other' hash 'XXXXXXXX.r0' file. You can select the version of OpenSSL used by the fetch-crl utility by setting the "FETCH_CRL_OPENSSL" variable in the environment or in the fetch-crl configuration file (/etc/fetch-crl.conf or /etc/sysconfig/fetch-crl) - The installation bundle (used for "./configure && make && make install") will create both symlinks in its installation directory (specified with --prefix=) - The pre-installed bundles for each of the accreditation classes have both hashes installed, using symbolic links. These pre-installation bundles can thus be used only on file systems that support symbolic links, or where the un-packing utility transparently translated symbolic links to hard copies When deployed, a new-format IGTF trust anchor distribution will look like: .../16da7552.0 -> NIKHEF.pem .../16da7552.info -> NIKHEF.info .../16da7552.namespaces -> NIKHEF.namespaces .../16da7552.signing_policy -> NIKHEF.signing_policy .../dfb080e4.0 -> NIKHEF.pem .../dfb080e4.info -> NIKHEF.info .../dfb080e4.namespaces -> NIKHEF.namespaces .../dfb080e4.signing_policy -> NIKHEF.signing_policy .../NIKHEF.crl_url .../NIKHEF.info .../NIKHEF.namespaces .../NIKHEF.pem .../NIKHEF.signing_policy Please note that - some software may now import the same CA /twice/, potentially doubling memory usage. Although this is not expected to cause problems, you are invited to verify that this new format accommodates your requirements. - the crl_url file is not duplicated, since fetch-crl will find this file based on its extension (not name), and the CRL file is written with the hash computed with the OpenSSL version used by fetch-crl at run time. COLLATERAL CHANGES ------------------ At the same time, the IGTF for the 'new' distribution will update its build architecture and incorporate the following changes: - the RPMs built by the IGTF, although based on the same SPEC files, will be constructed using RPM version 4.4.2.3 (this version is shipped, for example, with CentOS 5, RedHat Enterprise Linux 5 and like systems) - the Java Key Stores are built now with Java 6 (jdk-1.6.0), and from now on will also contain certificates with key lengths larger than 2048 bits ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.

1 0

Updated IGTF distribution version 1.32
by David Groep 26 Oct '09

26 Oct '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.32 available ========================================================================= 1. Updated IGTF distribution version 1.32 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.32, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.30 to 1.32 - ------------------------- (26 October 2009) * Updated country TLD in URLs and email for AEGIS CA (RS) * Updated contact information for CALC CA (LV) * Extended life time and updated profile or TR-Grid CA cert and CRL URL (TR) * Updated and added references to CP and CPS documents for the following authorities: HellasGrid (GR), ROSA (RO), DutchGrid (NL), IRAN-GRID (IR), and BYGCA (BY) * Withdrawn obsolete CAs SWITCH-Personal-2007, SwissSign-Root, SWITCH, SwissSign-Bronze, SwissSign-Silver, SWITCH-Server-2007 (CH) * Withdrawn expired and discontinued CA RMKI (HU) * Added persistently-named links to pre-installed accredited bundles * Added selected UNaccredited CAs to the "worthless" area If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release - ------------ The next release of the distribution is expected in January 2009. ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. - -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL ** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFK5gYgcnpzXG8phBgRAlNyAKDa7jeowlLgNi06xa3H3xkN8yoqsACgm3C+ 5GfIhbAS8j4qcp2EirrvmRk= =CR1v -----END PGP SIGNATURE-----

1 0

Updated IGTF distribution version 1.30
by David Groep 02 Jun '09

02 Jun '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.30 available ========================================================================= 1. Updated IGTF distribution version 1.30 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.30, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.29 to 1.30 ------------------------- (2 June 2009) * Updated contact meta-data for BYGCA, hash 709bed08 (BY) * Updated URLs for DFN Grid PKI public web pages (DE) * Added accredited NCSA GridShib SLCS CA (US) * Added accredited DFN SLCS CA (DE) * Added accredited TACC MICS CA (US) * Added accredited SWITCH (QuoVadis anchored) CAs (CH) * Added accredited FNAL-SLCS CA (US) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected on June 2nd, 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F308418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.29
by David Groep 05 May '09

05 May '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.29 available ========================================================================= 1. Updated IGTF distribution version 1.29 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.29, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.28 to 1.29 ------------------------- (4 May 2009) * Restored NGO-Netrust CA (SG) * Updated AIST Grid (CRL) URL metadata (JP) * Added accredited MD-Grid CA with hash 9ff26ea4 (MD) * Added accredited HKU Grid CA with hash 4798da47 (HK) * Updated signing policy file of APAC Grid CA (AU) * Added accredited classic BYGCA (Belarus) with hash 709bed08 (BY) * Updated namespace for the APAC CA (AU, NZ) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected on June 2nd, 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution version 1.28
by David Groep 10 Mar '09

10 Mar '09

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.28 available ========================================================================= 1. Updated IGTF distribution version 1.28 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.28, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.27 to 1.28 ------------------------- (9 March 2009) * Added accredited classic ULAGrid CA (VE) * Added accredited TACC Root and TACC Classic CAs (US) * Updated NERSC CRL URL download location (US) * Updated DOEGrids CRL URL download location (US) * Extended life time of NorduGrid CA (1f0e8352) (DK,SE,NO,FI,IS) * Added SigmaNet CALG CA (LV) * Updated AEGIS CA root certificate to reflect TLD name change (RS) * Added CRL for SWITCH-SLCS issuing CA (304cf809) (CH) Other updates to miscellaneous CAs: * Worthless CA for EGEE "GILDA" testbed added to 'worthless' section (EU) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Distribution format changes --------------------------- Note that the location of the igtf-policy-installation-bundle tar-ball has changed in release 1.26. It is now in the root of the distribution area, as it contains also all worthless and experimental CAs. The per-profile meta-data files (ca_policy_igtf-*.info) as well as the top-level meta-data file (ca_policy_igtf.info) now also contain a list of obsoleted CAs. Previously, this information was only embedded in the RPM distribution. The "obsoletes" attribute contains a comma-separated list of aliases for all CAs that have been (temporarily) withdrawn for any reason. Next Release ------------ The next release of the distribution is expected in April 2009. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

← Newer
1
...
9
10
11
12
13
14
15
16
17
Older →

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce