Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.34 available
2. Distribution format changes in the wake of OpenSSL version 1
(repeated annoucement)
=========================================================================
1. Updated IGTF distribution version 1.34 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.34, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
(traditional format)
https://dist.eugridpma.info/distribution/igtf/1.34-new/
(new format)
Changes from 1.32 to 1.33
-------------------------
(18 February 2010)
* Corrected malformed EACL syntax in signing_policy for CESNET-Root-CA (CZ)
Since this is a quick-fix for the 1.33 distribution, you are reminded
of these changes in 1.33 in case one migrates from a previous version 1.33:
* Added accredited MICS TCS eScience Personal CA and hierarchy (EU)
* Updated AustrianGrid root cert with extended life time (AT)
* Updated PolishGrid CA with new contact and extended root CA life time (PL)
* Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR)
* Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR)
* Corrected namespaces file for BEGrid2008 (BE)
* Added comment line to REUNA CA signing_policy file (CL)
* Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ)
* Updated (re-rooted) selected UNaccredited CAs in the "worthless" area
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Next Release
------------
The next release of the distribution is expected in April 2010.
=========================================================================
2. Distribution format changes in the wake of OpenSSL version 1
=========================================================================
IMPORTANT NOTICE
----------------
This 1.34 distribution comes in two (2) formats. The primary format
for this 1.34 release is the 'current' one, which has no changes. A
'new' format, available for your evaluation as of this release at:
https://dist.eugridpma.info/distribution/igtf/1.34-new/
supports also OpenSSL v1 and is designed to be backwards compatible
with the current distribution format.
*** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW ***
In a subsequent release (1.35 or 1.36), the 'default' distribution
will change to the new format and the current format will be depricated
and only available via a special URL. The default download location
https://dist.eugridpma.org/distribution/igtf/current/
will then point to the new-format distribution.
Releases after 1.36 (Autumn 2010) may withdraw this then-depricated
format and from then on only the 'new' format will be distributed.
For more information, please refer to the February 15th newsletter:
https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt
=========================================================================
REPEATED NOTICES
=========================================================================
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
+-----------------------------------------------------------------------+
| For information on the IGTF Distribution, how to use it and what is |
| contains, please read the information at |
| https://dist.eugridpma.info/distribution/igtf/README.txt |
| |
| This file containes important information for new users and should be |
| read before installing this Distribution. |
+-----------------------------------------------------------------------+
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the EUGridPMA PMA at
<info(a)eugridpma.org> or your Regional Policy Management Authority. See
the IGTF web site (www.igtf.net) for further information.
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.33 available
2. Distribution format changes in the wake of OpenSSL version 1
- IMPORTANT NOTICE
- BACKGROUND
- COLLATERAL CHANGES
=========================================================================
1. Updated IGTF distribution version 1.33 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.33, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
(traditional format)
https://dist.eugridpma.info/distribution/igtf/1.33-new/
(new format)
Changes from 1.32 to 1.33
-------------------------
(15 February 2010)
* Added accredited MICS TCS eScience Personal CA and hierarchy (EU)
* Updated AustrianGrid root cert with extended life time (AT)
* Updated PolishGrid CA with new contact and extended root CA life time (PL)
* Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR)
* Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR)
* Corrected namespaces file for BEGrid2008 (BE)
* Added comment line to REUNA CA signing_policy file (CL)
* Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ)
* Updated (re-rooted) selected UNaccredited CAs in the "worthless" area
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Next Release
------------
The next release of the distribution is expected in April 2010.
=========================================================================
2. Distribution format changes in the wake of OpenSSL version 1
=========================================================================
IMPORTANT NOTICE
----------------
This 1.33 distribution comes in two (2) formats. The primary format
for this 1.33 release is the 'current' one, which has no changes. A
'new' format, available for your evaluation as of this release at:
https://dist.eugridpma.info/distribution/igtf/1.33-new/
supports also OpenSSL v1 and is designed to be backwards compatible
with the current distribution format.
*** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW ***
In a subsequent release (1.34 or 1.35), the 'default' distribution
will change to the new format and the current format will be depricated
and only available via a special URL. The default download location
https://dist.eugridpma.org/distribution/igtf/current/
will then point to the new-format distribution.
Releases after 1.35 (Autumn 2010) may withdraw this then-depricated
format and from then on only the 'new' format will be distributed.
BACKGROUND
----------
It has come to the attention of the IGTF that the developers of the
OpenSSL software (www.openssl.org) are about to release a new version
of their software (version 1.0) which is fundamentally incompatible
with both any pre-existing versions of their own software, as well as
bring incompatibility with many other software products that use a
directory-based trust anchor store (such as Apache's mod_ssl, the
gLite Trust Manager, gridSite or VOMS).
A directory-based trust anchor store ("/etc/grid-security/certificates/")
contains a set of files, each of which holds a single, PEM encoded,
certificate that you trust. These files are named "XXXXXXXX.i", where
the X'es are hexadecimal digits and "i" a number, usually "0". For
example:
/etc/grid-security/certificates/16da7552.0
/etc/grid-security/certificates/16da7552.crl_url
/etc/grid-security/certificates/16da7552.info
/etc/grid-security/certificates/16da7552.namespaces
/etc/grid-security/certificates/16da7552.r0
/etc/grid-security/certificates/16da7552.signing_policy
In this case, the "16da7552" is a hash ('digest') of the subject name
of the CA in question, namely "C=NL, O=NIKHEF, CN=NIKHEF medium-security
certification auth". Files with related meta-data, such as the URL where
a CRL can be obtained, or the allowed name spaces in to which this CA is
accredited in the IGTF, are named after the hash of the CA subject name.
Although, on first glance, the trust anchor directory in an OpenSSL v1.0
installation looks the same, the mechanism to compute these hashes
has changed. So, what appears to be a 'normal' trust anchor directory
no longer works when OpenSSL1 is used. However, all other current software
(Apache mod_ssl, the gLite Trust Manager, etc.) will continue to work
without problems.
Not having the 'new' hashes installed will not lead to security risks, but
it will prevent successful authentication and thus lead to unavailability.
The IGTF regrets this unwarranted change made by the OpenSSL developers,
but cannot shield its relying parties and end-users from this change.
Since the IGTF distributes the trust anchors of accredited authorities
also in a way that used to work with OpenSSL, we feel that it is in the
community's interest to keep supporting OpenSSL also for version 1,
whilst ensuring that other softwares continue to work as before.
Since we anticipate that relying parties will at some point install OpenSSL
version 1, and will do so whilst at the same time running other software
on the same system or using the same trust anchor directory (e.g. over
a distributed or shared file system), we have designed a new distribution
format that will support both the conventional hash method as well as
the new OpenSSL1 mode.
The new format is based on the following structure:
- In the installation bundles, tar-balls and RPMs, all CAs and files are named
after their alias from the info file
- Symbolic links are used to generate the structure for BOTH the current
hash mode (OpenSSL 0.x and all other software) AS WELL AS for OpenSSL 1.0
This means that it will no longer install on FAT32 file systems, or on
any file system that does not support symbolic links
- Since the "fetch-crl" utility, distributed by the IGTF to facilitate periodic
downloads of CRLs for each CA, will use the file name of the crl_url file,
and the local version of OpenSSL to generate the hash itself, it can handle
symbolic names for the crl-url file.
The name of the CRL downloaded will be derived from the version of OpenSSL
used. To generate CRLs for both hashes, run this utility twice, but using
a different version of OpenSSL; or make symbolic links for the
'other' hash 'XXXXXXXX.r0' file.
You can select the version of OpenSSL used by the fetch-crl utility
by setting the "FETCH_CRL_OPENSSL" variable in the environment or in the
fetch-crl configuration file (/etc/fetch-crl.conf or /etc/sysconfig/fetch-crl)
- The installation bundle (used for "./configure && make && make install") will
create both symlinks in its installation directory (specified with --prefix=)
- The pre-installed bundles for each of the accreditation classes have
both hashes installed, using symbolic links.
These pre-installation bundles can thus be used only on file systems that
support symbolic links, or where the un-packing utility transparently
translated symbolic links to hard copies
When deployed, a new-format IGTF trust anchor distribution will look like:
.../16da7552.0 -> NIKHEF.pem
.../16da7552.info -> NIKHEF.info
.../16da7552.namespaces -> NIKHEF.namespaces
.../16da7552.signing_policy -> NIKHEF.signing_policy
.../dfb080e4.0 -> NIKHEF.pem
.../dfb080e4.info -> NIKHEF.info
.../dfb080e4.namespaces -> NIKHEF.namespaces
.../dfb080e4.signing_policy -> NIKHEF.signing_policy
.../NIKHEF.crl_url
.../NIKHEF.info
.../NIKHEF.namespaces
.../NIKHEF.pem
.../NIKHEF.signing_policy
Please note that
- some software may now import the same CA /twice/, potentially doubling memory
usage. Although this is not expected to cause problems, you are invited to
verify that this new format accommodates your requirements.
- the crl_url file is not duplicated, since fetch-crl will find this file based
on its extension (not name), and the CRL file is written with the hash
computed with the OpenSSL version used by fetch-crl at run time.
COLLATERAL CHANGES
------------------
At the same time, the IGTF for the 'new' distribution will update its build
architecture and incorporate the following changes:
- the RPMs built by the IGTF, although based on the same SPEC files, will
be constructed using RPM version 4.4.2.3 (this version is shipped, for
example, with CentOS 5, RedHat Enterprise Linux 5 and like systems)
- the Java Key Stores are built now with Java 6 (jdk-1.6.0), and from
now on will also contain certificates with key lengths larger than 2048 bits
=========================================================================
REPEATED NOTICES
=========================================================================
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
+-----------------------------------------------------------------------+
| For information on the IGTF Distribution, how to use it and what is |
| contains, please read the information at |
| https://dist.eugridpma.info/distribution/igtf/README.txt |
| |
| This file containes important information for new users and should be |
| read before installing this Distribution. |
+-----------------------------------------------------------------------+
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the EUGridPMA PMA at
<info(a)eugridpma.org> or your Regional Policy Management Authority. See
the IGTF web site (www.igtf.net) for further information.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.32 available
=========================================================================
1. Updated IGTF distribution version 1.32 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.32, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.30 to 1.32
- -------------------------
(26 October 2009)
* Updated country TLD in URLs and email for AEGIS CA (RS)
* Updated contact information for CALC CA (LV)
* Extended life time and updated profile or TR-Grid CA cert and CRL URL (TR)
* Updated and added references to CP and CPS documents for the following
authorities: HellasGrid (GR), ROSA (RO), DutchGrid (NL), IRAN-GRID (IR),
and BYGCA (BY)
* Withdrawn obsolete CAs SWITCH-Personal-2007, SwissSign-Root, SWITCH,
SwissSign-Bronze, SwissSign-Silver, SWITCH-Server-2007 (CH)
* Withdrawn expired and discontinued CA RMKI (HU)
* Added persistently-named links to pre-installed accredited bundles
* Added selected UNaccredited CAs to the "worthless" area
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Next Release
- ------------
The next release of the distribution is expected in January 2009.
=========================================================================
REPEATED NOTICES
=========================================================================
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
+-----------------------------------------------------------------------+
| For information on the IGTF Distribution, how to use it and what is |
| contains, please read the information at |
| https://dist.eugridpma.info/distribution/igtf/README.txt |
| |
| This file containes important information for new users and should be |
| read before installing this Distribution. |
+-----------------------------------------------------------------------+
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the EUGridPMA PMA at
<info(a)eugridpma.org> or your Regional Policy Management Authority. See
the IGTF web site (www.igtf.net) for further information.
- --
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFK5gYgcnpzXG8phBgRAlNyAKDa7jeowlLgNi06xa3H3xkN8yoqsACgm3C+
5GfIhbAS8j4qcp2EirrvmRk=
=CR1v
-----END PGP SIGNATURE-----
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.30 available
=========================================================================
1. Updated IGTF distribution version 1.30 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.30, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.29 to 1.30
-------------------------
(2 June 2009)
* Updated contact meta-data for BYGCA, hash 709bed08 (BY)
* Updated URLs for DFN Grid PKI public web pages (DE)
* Added accredited NCSA GridShib SLCS CA (US)
* Added accredited DFN SLCS CA (DE)
* Added accredited TACC MICS CA (US)
* Added accredited SWITCH (QuoVadis anchored) CAs (CH)
* Added accredited FNAL-SLCS CA (US)
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Next Release
------------
The next release of the distribution is expected on June 2nd, 2009.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES
=========================================================================
Subscribing to the EUGridPMA Newsletter
---------------------------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
What is contained in the IGTF Trust Anchor Distribution
-------------------------------------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number and release.
Distribution formats
--------------------
* the distribution containes RPMs and tar-balls of each accredited authority,
as well as meta-RPMs that depends on the RPMs of those accredited.
* the tar "bundle" can be used to install the authorities in a local trust
anchor directory using the "./configure && make install" process:
igtf-policy-installation-bundle-<VERSION>.tar.gz
* the accredited directory contains tar-balls for all "classic", "mics",
and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-<VERSION>.tar.gz
igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz
igtf-preinstalled-bundle-mics-<VERSION>.tar.gz
* those CAs whose key-length is less than or equal to 2048 bits are also
available in a Java KeyStore (JKS), whose password is "" (empty string).
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/"
sub-directory (also for -slcs and -mics).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F308418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.29 available
=========================================================================
1. Updated IGTF distribution version 1.29 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.29, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.28 to 1.29
-------------------------
(4 May 2009)
* Restored NGO-Netrust CA (SG)
* Updated AIST Grid (CRL) URL metadata (JP)
* Added accredited MD-Grid CA with hash 9ff26ea4 (MD)
* Added accredited HKU Grid CA with hash 4798da47 (HK)
* Updated signing policy file of APAC Grid CA (AU)
* Added accredited classic BYGCA (Belarus) with hash 709bed08 (BY)
* Updated namespace for the APAC CA (AU, NZ)
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Distribution format changes
---------------------------
Note that the location of the igtf-policy-installation-bundle tar-ball
has changed in release 1.26. It is now in the root of the distribution
area, as it contains also all worthless and experimental CAs.
The per-profile meta-data files (ca_policy_igtf-*.info) as well as the
top-level meta-data file (ca_policy_igtf.info) now also contain a list
of obsoleted CAs. Previously, this information was only embedded in the
RPM distribution. The "obsoletes" attribute contains a comma-separated
list of aliases for all CAs that have been (temporarily) withdrawn
for any reason.
Next Release
------------
The next release of the distribution is expected on June 2nd, 2009.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES
=========================================================================
Subscribing to the EUGridPMA Newsletter
---------------------------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
What is contained in the IGTF Trust Anchor Distribution
-------------------------------------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number and release.
Distribution formats
--------------------
* the distribution containes RPMs and tar-balls of each accredited authority,
as well as meta-RPMs that depends on the RPMs of those accredited.
* the tar "bundle" can be used to install the authorities in a local trust
anchor directory using the "./configure && make install" process:
igtf-policy-installation-bundle-<VERSION>.tar.gz
* the accredited directory contains tar-balls for all "classic", "mics",
and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-<VERSION>.tar.gz
igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz
igtf-preinstalled-bundle-mics-<VERSION>.tar.gz
* those CAs whose key-length is less than or equal to 2048 bits are also
available in a Java KeyStore (JKS), whose password is "" (empty string).
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/"
sub-directory (also for -slcs and -mics).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.28 available
=========================================================================
1. Updated IGTF distribution version 1.28 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.28, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.27 to 1.28
-------------------------
(9 March 2009)
* Added accredited classic ULAGrid CA (VE)
* Added accredited TACC Root and TACC Classic CAs (US)
* Updated NERSC CRL URL download location (US)
* Updated DOEGrids CRL URL download location (US)
* Extended life time of NorduGrid CA (1f0e8352) (DK,SE,NO,FI,IS)
* Added SigmaNet CALG CA (LV)
* Updated AEGIS CA root certificate to reflect TLD name change (RS)
* Added CRL for SWITCH-SLCS issuing CA (304cf809) (CH)
Other updates to miscellaneous CAs:
* Worthless CA for EGEE "GILDA" testbed added to 'worthless' section (EU)
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Distribution format changes
---------------------------
Note that the location of the igtf-policy-installation-bundle tar-ball
has changed in release 1.26. It is now in the root of the distribution
area, as it contains also all worthless and experimental CAs.
The per-profile meta-data files (ca_policy_igtf-*.info) as well as the
top-level meta-data file (ca_policy_igtf.info) now also contain a list
of obsoleted CAs. Previously, this information was only embedded in the
RPM distribution. The "obsoletes" attribute contains a comma-separated
list of aliases for all CAs that have been (temporarily) withdrawn
for any reason.
Next Release
------------
The next release of the distribution is expected in April 2009.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES
=========================================================================
Subscribing to the EUGridPMA Newsletter
---------------------------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
What is contained in the IGTF Trust Anchor Distribution
-------------------------------------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number and release.
Distribution formats
--------------------
* the distribution containes RPMs and tar-balls of each accredited authority,
as well as meta-RPMs that depends on the RPMs of those accredited.
* the tar "bundle" can be used to install the authorities in a local trust
anchor directory using the "./configure && make install" process:
igtf-policy-installation-bundle-<VERSION>.tar.gz
* the accredited directory contains tar-balls for all "classic", "mics",
and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-<VERSION>.tar.gz
igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz
igtf-preinstalled-bundle-mics-<VERSION>.tar.gz
* those CAs whose key-length is less than or equal to 2048 bits are also
available in a Java KeyStore (JKS), whose password is "" (empty string).
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/"
sub-directory (also for -slcs and -mics).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.27 available
2. Fetch-crl utlity version 2.7.0 released
=========================================================================
1. Updated IGTF distribution version 1.27 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.27, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.26 to 1.27
-------------------------
* Corrected signing namespace for BEGrid2008 CA (BE)
* Added NERSC SLCS CA (US)
* ASGCCA-2007 changed signature algorithm from MD5 to SHA1 (TW)
* Added new CNRS2 hierarchy: CNRS2 -> CNRS2-Projets -> CNRS2-Grid-FR (FR)
* Updated IUCC root certificate (IL)
* Obsoleted EstonianGrid CA (EE)
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Distribution format changes
---------------------------
Note that the location of the igtf-policy-installation-bundle tar-ball
has changed in release 1.26. It is now in the root of the distribution
area, as it contains also all worthless and experimental CAs.
The per-profile meta-data files (ca_policy_igtf-*.info) as well as the
top-level meta-data file (ca_policy_igtf.info) now also contain a list
of obsoleted CAs. Previously, this information was only embedded in the
RPM distribution. The "obsoletes" attribute contains a comma-separated
list of aliases for all CAs that have been (temporarily) withdrawn
for any reason.
Next Release
------------
The next release of the distribution is expected on Monday, 2 March 2009.
=========================================================================
2. Fetch-crl utility version 2.7.0 released
=========================================================================
The 'fetch-crl' utility is a utility to ensure that Certificate
Revocation Lists (CRLs) are periodically retrieved from the web sites
of the respective Certification Authorities, and installed on the
local system in a trust anchor directory. It is intended for use
with those (grid) systems that follow the OpenSSL method of trust
anchor distribution.
The fetch-crl utility has been updated with bug fixes and new
functionality, as described in the CHANGES file below. The most important
change is that this version will NOT REPORT transient download errors
unless they persist for more than 24 hours. Previously, this function
was enabled by the "-a" option or the CRL_AGING_THRESHOLD, but was set
to 0 (zero) by default.
The new version of fetch-crl can be obained from the IGTF mirror sites
and at
https://dist.eugridpma.info/distribution/util/fetch-crl/
where you can retrieve version 2.7.0 as well as older versions.
Changes in version EGP 2.7.0
----------------------------
* Warnings and errors are now counted. If there are errors in the download
or verification process for one or more CRLs, the exit status will be 1;
if there are errors in the local setup or in the script invocation, the
exit status will be 2.
* The installed CRLs no longer have the textual representation of the CRL,
but only the PEM data blob, thus reducing IO and memory requirements.
* the CRL aging threshold is now set by default to 24 hours. The previous
default was 0. The CRL aging threshold is set in the config file using
CRL_AGING_THRESHOLD=<xx>, or with the "-a" command-line argument.
* Default network timeouts reduced to 10 seconds (was 30) and retries to 2
* Added caching and conditional downloading. When CACHEDIR is set, the
original downloads are preserved and wget timestamping mode enabled.
When the content did not change, only the timestamp on the installed
CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based
on the name of the crl_url file, otherwise it is taken from the CRL itself.
- The CACHEDIR must be exclusively writable by the user running fetch-crl
- Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl
* Added RESETPATHMODE setting in sysconfig. It defines whether or not to
re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL
may be done based on the old path.
yes=always replace; searchopenssl=search for openssl first and then reset;
no=keep original path, whatever that may be (may be empty if called from cron)
Default="yes". This replaces the hard-coded path in the tool.
* Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards-
compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that
have a CRL-like name and ought to have CRL content, but currently do not.
* Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially
addressed. Bug 20062 can be remedied with WGET_OPTS arguments.
Addresses OSG ticket 4673.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES
=========================================================================
Subscribing to the EUGridPMA Newsletter
---------------------------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
What is contained in the IGTF Trust Anchor Distribution
-------------------------------------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number and release.
Distribution formats
--------------------
* the distribution containes RPMs and tar-balls of each accredited authority,
as well as meta-RPMs that depends on the RPMs of those accredited.
* the tar "bundle" can be used to install the authorities in a local trust
anchor directory using the "./configure && make install" process:
igtf-policy-installation-bundle-<VERSION>.tar.gz
* the accredited directory contains tar-balls for all "classic", "mics",
and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-<VERSION>.tar.gz
igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz
igtf-preinstalled-bundle-mics-<VERSION>.tar.gz
* those CAs whose key-length is less than or equal to 2048 bits are also
available in a Java KeyStore (JKS), whose password is "" (empty string).
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/"
sub-directory (also for -slcs and -mics).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
Dear IGTF relying parties,
The OpenSSL Security Team released an advisory [1] on January 7th,
regarding incorrect checks for malformed signatures when DSA or
ECDSA keys are used. The IGTF Risk Assessment Team (RAT) [2]
would like to inform you that NONE of the IGTF-accredited
certification authorities use such keys to sign any certificate.
This means this vulnerability does not constitute any risk to
relying parties when they authenticate a server presenting a
certificates issued by an IGTF-accredited CA.
None of the CAs accredited by the IGTF issue, or have issued in the
past, certificates using signature algorithms other than RSA.
On behalf of the IGTF/IGTF RAT
Sincerely,
Jim Basney
David Groep
Vinod Rebello
Willy Weisz
[1] http://www.openssl.org/news/secadv_20090107.txt
[2] http://tagpma.es.net/wiki/bin/view/IGTF-RAT
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear Users and Relying Parties of the IGTF and EUGridPMA
Following the severance of three (out of four) undersea cables in the
Mediterranean basin on December 19th, 2008, around 7.30 CET,
your ability to retrieve Certificate Revocation Lists (CRLs) for
some of the IGTF accredited authorities may be limited or absent.
France Telecom, the company responsible for the maintenance of the
cables (Sea Me We3, Sea Me We4, FLAG) is working to repair these
cables and restore connectivity as soon as possible, but it
may take up to December 31st to fully recover. Please see their
press release at:
http://www.francetelecom.com/en_EN/press/press_releases/cp081219en.html
This affects CAs located in the Middle East (in particular PK-Grid (PK)
with hash f5ead794 and IRAN-Grid (IR) with hash ce33db76), as well as MaGrid.
Although not apparent from the press release, academic connectivity to
Morocco (by MARWAN) is provided through the EUMedConnect hub in
Palermo, Sicily, and also suffers from this outage.
Connectivity to PK and IR is intermittent, whereas connectivity to MA
is completely lost since Dec 19th, 0730 CET. At this moment, we have
no better estimates than those made public by France Telecom as to when
service will be restored.
We apologize for this inconvenience.
Best Regards,
David Groep.
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the IGTF:
1. Updated IGTF distribution version 1.26 available
=========================================================================
1. Updated IGTF distribution version 1.26 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members and retires expiring CA
certificates. This is version 1.26, release 1, and it is now available for
download from the Repository (and mirrors) at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.25 to 1.26
-------------------------
(14 December 2008)
* Added accredited classic Indian Grid CA (IGCA) (hash da75f6a8) (IN)
* Updated IUCC root certificate with extended life time (IL)
* Updated BEGrid (web, CRL) and UCSD-PRAGMA (web) URL metadata (BE, AP)
* New BEGrid2008 root certificate (transitional) (BE)
* Extended life time of the SEE-GRID CA (SEE)
* Included CRL for NCSA SLCS CA (US)
* Temporally suspended NGO-Netrust CA (SG)
* Withdrawn expired old PK-Grid CA (d2a353a5, superseded by f5ead794) (PK)
* Experimentally added Texas Advanced Computer Center TACC Root,
Classic, and MICS CAs to the experimental area (US)
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Note that the location of the igtf-policy-installation-bundle tar-ball
has changed. It is now in the root of the distribution area, as it
contains not only the accredited but also worthless and experimental CAs.
Next Release
------------
The next release of the CA distribution is to be expected at the
beginning of February 2009.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES
=========================================================================
Subscribing to the EUGridPMA Newsletter
---------------------------------------
This newsletter carries IGTF information intended for relying parties.
For more information about this newsletter and how to subscribe,
refer to the EUGridPMA web site at https://www.eugridpma.org/
What is contained in the IGTF Trust Anchor Distribution
-------------------------------------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number and release.
Distribution formats
--------------------
* the distribution containes RPMs and tar-balls of each accredited authority,
as well as meta-RPMs that depends on the RPMs of those accredited.
* the tar "bundle" can be used to install the authorities in a local trust
anchor directory using the "./configure && make install" process:
igtf-policy-installation-bundle-<VERSION>.tar.gz
* the accredited directory contains tar-balls for all "classic", "mics",
and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-<VERSION>.tar.gz
igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz
igtf-preinstalled-bundle-mics-<VERSION>.tar.gz
* those CAs whose key-length is less than or equal to 2048 bits are also
available in a Java KeyStore (JKS), whose password is "" (empty string).
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/"
sub-directory (also for -slcs and -mics).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **