eugridpma-announce

eugridpma-announce@nikhef.nl

160 discussions

Updated IGTF distribution version 1.23 available
by David Groep 28 Jul '08

28 Jul '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Updated IGTF distribution version 1.23 available ========================================================================= 1. Updated IGTF distribution version 1.23 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.23, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.22 to 1.23 ------------------------- (28 July 2008) * Updated metadata for CyGrid (CY), SlovakGrid (SK), Grid-FR (FR) and NCSA-SLCS and MICS (US) * Removed old UKeScienceRoot (8175c1cd) and UKeScience (adcbc9ef) that were replaced in 2006 by updated root and issuing CAs (UK) * Updated LIPCA certificate, based on same key pair (PT) * Added accredited classic MREN CA (ME) Relying parties are advised to update to this release before June 16th, when the old ASGCC CA will expire. However, this expiration will only result in CRL download warnings and does not impact the security of your trust fabric. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected end of August 2008. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

2 1

Updated IGTF distribution version 1.22 available
by David Groep 09 Jun '08

09 Jun '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Updated IGTF distribution version 1.22 available ========================================================================= 1. Updated IGTF distribution version 1.22 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.22, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.21 to 1.22 ------------------------- (09 June 2008) * updated extensions in PK-Grid-2007 root certificate (same key pair) (PK) * added accredited classic CA Iran-Grid (hash ce33db76) (IR) * withdrawn expiring ASGCCA (hash a692434d) (TW) Relying parties are advised to update to this release before June 16th, when the old ASGCC CA will expire. However, this expiration will only result in CRL download warnings and does not impact the security of your trust fabric. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in July 2008. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-<VERSION>-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-<VERSION>.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-<VERSION>.tar.gz igtf-preinstalled-bundle-slcs-<VERSION>.tar.gz igtf-preinstalled-bundle-mics-<VERSION>.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-<VERSION>.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Report on the Debian OpenSSL vulnerability on the IGTF Trust Fabric
by David Groep 24 May '08

24 May '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Impact of the Debian OpenSSL vulnerability on the IGTF ========================================================================= 1. Impact of the Debian OpenSSL vulnerability on the IGTF ========================================================================= A serious Debian (and derivatives, including Ubuntu) OpenSSL vulnerability (CVE-2008-0166) was announced on May 13th, related to a predictable random number generator in Debian's OpenSSL package: http://www.debian.org/security/2008/dsa-1571 This can also affect public key certificates used within the IGTF and the Grid in general, if certificate requests have been generated on a vulnerable system. It can impact both the CA itself (if its own key pair was generated on such a system, as well as all subscribers (users, hosts and services). The IGTF Accredited Authorities, with support from security officers from several grid sites and our Relying Party members, have investigated the impact of CVE-2008-0166 on the entire IGTF trust fabric. - one CA certificate was based on weak material. This certificate was immediately replaced and an updated IGTF Distribution (1.21) was released on May 16th. More details are in the May 16th newsletter at https://www.eugridpma.org/newsletter/eugridpma-newsletter-20080516.txt If you have not yet installed the 1.21 release, please do so as soon as reasonably possible. If you have the old UK e-Science root certificate installed in your browser, you should update this one as well. - all Accredited CAs have reviewed the currently valid certificates for all subscribers since May 13th. Certificates based on weak key material have all been revoked by now. To ensure your trust infrastructure is safe, please make sure you have downloaded the latest CRLs, and keep these up-to-date at least once a day. Utilities for Unix based systems are available on the IGTF web site (https://dist.eugridpma.info/distribution/util/) Modern browsers can automatically download new CRLs periodically. If you have CRLs installed in your browser, make sure these are also up-to-date. At this point in time, there is no reason to disable any specific CAs from the IGTF Trust Anchor distribution in relation to this vulnerability. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ Next Release ------------ The next release of the CA RPMs is to be expected in June 2008. -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Important update to the IGTF distribution - version 1.21 available
by David Groep 16 May '08

16 May '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Important IGTF distribution version 1.21 available with updated trust anchor ========================================================================= 1. Important IGTF distribution version 1.21 available ========================================================================= The UKeScience Root Certificate ("2007") is involved with CVE-2008-0166 and may have been based on weak key material generated on an (off-line) Debian system with a predictable random number generator. It is important that this root certificate be REPLACED with an updated version based on newly generated key material. A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the updated key material and Authorities by all IGTF Members. This is version 1.21, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ and will soon be available on all mirrors. Changes from 1.20 to 1.21 ------------------------- (16 May 2008) * IMPORTANT update of the UKeScience Root and Issuing CAs (UK) Note that the subject names and file names of the new certificates are *the same* as the original ones, only the key material has changed! The issue affects the root certificate only. As in a standard IGTF trust anchor installation, the subordinate issuing CA is also installed in the repository and this certificate is taken preferentially over any user-supplied version, the impact of this issue is somewhat limited. For software that honours the "signing_policy" or "namespaces" relying-party defined name space constraints setting, no end-entity certificates can easily be impersonated. However, we strongly advise to update as soon as possible! For technical reasons, both the root and issuing CA certificate need to be replaced, although only the root certificate is affected by the vulnerability. Good fingerprints of the updated certificates are: $ openssl x509 -subject -fingerprint -sha1 -noout -in 98ef0ee5.0 subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = A1:39:B0:F3:04:6C:0B:F9:F5:0A:1B:33:00:06:4F:83:6B:7D:4F:3E $ openssl x509 -subject -fingerprint -sha1 -noout -in 367b75c3.0 subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = CA:1C:B6:6C:A9:E3:27:4D:F7:3E:A9:EB:6A:33:3F:C1:A2:B1:B8:D7 whereas the weak certificates are: subject= /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root SHA1 = B1:77:5E:BB:11:13:B4:B5:0E:40:57:F1:E0:6A:BE:B9:4E:44:B7:45 subject= /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA SHA1 = 31:C1:93:3D:E8:9C:C4:B7:8A:02:B5:2D:56:D5:6B:43:56:0B:9F:CA If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in July 2008. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES ========================================================================= Subscribing to the EUGridPMA Newsletter --------------------------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.20-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.20" and release "1". Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-1.20.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.20.tar.gz igtf-preinstalled-bundle-slcs-1.20.tar.gz igtf-preinstalled-bundle-mics-1.20.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.18.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

New IGTF distribution version 1.20 available
by David Groep 17 Mar '08

17 Mar '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New IGTF distribution version 1.20 available with new and updated trust anchors We hope that you find this update useful and welcome any comments. Also, feel free to redistribute this information widely as you see appropriate. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.20 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.20, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.19 to 1.20 ------------------------- (17 March 2008) * Added accredited classic MARGI CA (MK) * Withdrawn expired SWITCH-Server-2006 and SWITCH-Personal-2006 CAs (CH) * Corrected namespace syntax for SWITCHaai CA (CH) * Updated namespace definitions in DFN GridGermany hierarchy (DE) * Added dependency of TERENA-SCS on GTE-CyberTrust-Global-Root. Note that neither the TERENA-SCS nor the GTE-CyberTrust-Global-Root are accredited. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in May 2008. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.20-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.20" and release "1". Distribution formats -------------------- * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-1.20.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.20.tar.gz igtf-preinstalled-bundle-slcs-1.20.tar.gz igtf-preinstalled-bundle-mics-1.20.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.18.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New IGTF distribution version 1.19 available
by David Groep 31 Jan '08

31 Jan '08

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New IGTF distribution version 1.19 available with new and updated trust anchors We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.19 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.16, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.18 to 1.19 ------------------------- (31 January 2008) * Added PK-Grid-2007 Root CA certificate (will supersede d2a353a5) (PK) * New contact email address for all PK-Grid CAs (PK) * Updated and extended lifetime of ArmeSFo root cert with same keypair (AM) * New CA certificate download locations for SwissSign CAs (CH) * New classic CA UGRID (hash 0a12b607) for the Ukraine (UA) * New classic CA UNAM-grid (hash 24c3ccde) for Mexico (MX) If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in March 2008. ===================================================================== Please remember new location of distribution "dist.eugridpma.info" The trust anchor distribution is served by a separate, stand-alone system that serves only this static content: https://dist.eugridpma.info/distribution/ *** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS *** ===================================================================== ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.19-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.19" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.19.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.19.tar.gz igtf-preinstalled-bundle-slcs-1.19.tar.gz igtf-preinstalled-bundle-mics-1.19.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.18.jks" in the "accredited/jks/" sub-directory (also for -slcs). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New important IGTF distribution version 1.18 available
by David Groep 16 Nov '07

16 Nov '07

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New important IGTF distribution version 1.18 available 2. Update on the UK e-Science CA 3. JKS keystore format change delayed We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.18 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.16, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.17 to 1.18 ------------------------- * ASGCCCA-2007 added to Accredited Classic set again (TW) * Withdrawn expired CA "Spain" (hash 13eab55e) (ES) * Withdrawn expired CA "SiGNET" (hash 747183a5) (SI) * Withdrawn discontinued CA "CERN" (hash fa3af1d7) (INT) * Updated SWITCH (classic) signing namespace policies (CH) * Added UNLPGrid CA (classic, hash b7bcb7b2) (AR) * Added MaGrid CA (classic, hash 7b54708e) (MA) * New contact email address for the SlovakGrid CA (SK) * New UK e-Science CA hierarchy "-2007" added (98ef0ee5 and 367b75c3) Note: during the transition period, two hierarchies (both old and "2007") will be distributed. See section 2 in this newsletter for details (UK) * (selected updates to repositories containing un-accredited CAs) You are kindly requested to upgrade to this release in a timely fashion, as the UK eScience hierarchy change goes into effect immediately. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in January 2008. ===================================================================== Please remember new location of distribution "dist.eugridpma.info" The trust anchor distribution is served by a separate, stand-alone system that serves only this static content: https://dist.eugridpma.info/distribution/ *** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS *** ===================================================================== ========================================================================= 2. Update on the UK e-Science CA ========================================================================= During a routine audit of the UK e-Science PKI it was found that an encrypted backup of the Root CA's private key was missing from the secured environment, despite being locked in a safe when not in use. It is important to emphasise that the security of the UK e-Science CA - the accredited subordinate - was not affected; it has an entirely different security infrastructure. This could have happened for a number of reasons, not necessarily maliciously. Investigations were not conclusive. However, even if the key had been leaked from the secured environment, it was encrypted with an extremely strong passphrase and will not be immediately exploitable. Since we take security very seriously, we believe the best way to recover a fully trustworthy UK public key infrastructure (PKI) is to be open about the possibility, however remote, of the key being compromised. Having done extensive testing, we have decided to rekey the PKI. So this release will contain new CA certificates, which will sign all new and rekeyed certificates. The current (old) PKI will have to be kept in the distribution until all end entity certificates issued within it have expired or otherwise moved to the new PKI. Since the private key was encrypted with an extremely strong passphrase, it is considered safe to keep the root certificate in the distribution for up to another year, the natural lifetime of remaining certificates in the PKI. Even a resourceful and malicious attacker should not be able to break the passphrase within this timespan. However, to speed up the process, we are considering and investigating renewing existing certificates under the new PKI (but still as normal certificates with a 13 months lifetime) - although this is poorly supported by most client tools. It is of course technically possible to force users to rekey, but this is highly inconvenient with a userbase of this size, and is not considered necessary at this time. In either case, since we are limited to 13 months lifetime, and do not plan to issue shorter lifetime certificates at this time, renewals or rekeying would have to be distributed over several months to prevent concentration of all subsequent renewals within a short space of time. There will be an associated update to the CP/CPS of the CAs to cover the new PKI. In accordance with the policy, it is considered a security update so they will take effect immediately. Other issues planned for new CP/CPS releases will be postponed to allow time for the usual consultation. Jens Jensen, UK e-Science CA Manager IGTF Notice: This issue has been communicated to the IGTF previously and assessed to pose an extremely low risk. The reaction of the UK e-Science CA and the response has been coordinated. We thank our Relying Parties for their understanding. Detailed questions, if any, should be sent to the UK e-Science CA. ========================================================================= 3. JKS keystore format change delayed ========================================================================= After the announcement of the planned JKS format change, worry was expressed as to the compatibility with software that is still being deployed. The change to a new JKS format with larget key sized has therefore been put on a temporary hold. This also allows relying parties to apply this important update release without the need to simultaneously change the software. The Java KeyStores distributed by the EUGridPMA has so far been compatible with Java release 1.4 and earlier. Unfortunately, this implied that keys with a size larger than 2048 bits could not be included. The format of the keystore will change so as to be able to include the larget CA keys that are now becoming prevalent in the Distribution. This means that for the larger key sizes the JKS format will no longer be compatible with Java releases 1.4 and lower. A more recent Java installation will be required to use the new keystore format. The new keystore format will be introduced in a future release, and then contain all CA keys in the IGTF Distribution. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.18-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.18" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.18.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.18.tar.gz igtf-preinstalled-bundle-slcs-1.18.tar.gz igtf-preinstalled-bundle-mics-1.18.tar.gz * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.18.jks" in the "accredited/jks/" sub-directory (also for -slcs). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

New IGTF distribution version 1.17 available
by David Groep 09 Oct '07

09 Oct '07

From: David Groep <info(a)eugridpma.org> Date: Wed, 8 October 2007 12:00:00 +0200 Subject: New IGTF distribution version 1.17 available Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New IGTF distribution version 1.17 available 2. JKS keystore format will change in release 1.18 We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.17 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.17, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.16 to 1.17 ------------------------- (8 October 2007) * Added new RomanianGRID CA classic authority (RO) * Corrected several small typographic inconsistencies (DutchDemo, apt/README.txt) * Updates list of SWITCH eligible organisations (CH) * New contact email addresses for the AustrianGrid CA (AT), CNRS (FR) and IUCC (IL) * BEGrid CA provides an http URL for CRL download (BE) * Expired INFN (49f18420) CA withdrawn (IT) * Updated ASGCCCA-2007 certificate extensions (TW) You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in November 2007. ===================================================================== Please remember new location of distribution "dist.eugridpma.info" The trust anchor distribution is served by a separate, stand-alone system that serves only this static content: https://dist.eugridpma.info/distribution/ with deep-redirection provided from the old download location. The trust anchors in the distribution directory continue are digitally signed with the EUGridPMA PGP key "3" (see details at the end of this newsletter). *** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS *** ===================================================================== ========================================================================= 2. JKS keystore format will change in release 1.18 ========================================================================= The Java KeyStores distributed by the EUGridPMA has so far been compatible with Java release 1.4 and earlier. Unfortunately, this impled that keys with a size larger than 2048 bits could not be included. As of release 1.18 (due November 2007), the format of the keystore will change so as to be able to include the larget CA keys that are now becoming prevalent in the Distribution. This means that the JKS format will NO LONGER BE COMPATIBLE with Java releases 1.4 and lower, nor with Java 5. A Java 6 installation will be required to use the new keystore format. The new keystore format will be introduced in the next release, and then contain all CA keys in the IGTF Distribution. ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.17-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.17" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.17.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.17.tar.gz igtf-preinstalled-bundle-slcs-1.17.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.17.jks" in the "accredited/jks/" sub-directory (also for -slcs). Note: in release 1.18 this will change to a JKS compatible with Java version 1.6, and will from then on include also keys with a larger size (i.e. 4096 and better) APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New IGTF distribution version 1.16 available, with many changes
by David Groep 08 Aug '07

08 Aug '07

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Authentication Profile "Member Integrated Credential Services" (MICS) introduced 2. New IGTF distribution version 1.16 available with many changes We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. Authentication Profile "Member Integrated Credential Services" (MICS) introduced ========================================================================= The International Grid Trust Federation has approved a new Authentication Profile against which issuing authorities will be accredited. A MICS is an automated system to issue X.509 formatted identity assertions based on pre- existing identity data maintained by a federation or large organization – the end-entity certificate is thus based on a membership or authentication system maintained by the organization or federation. The goal is to leverage any existing, well-established identity management system to generate X.509 certificates fully compatible with those issued under the Classic Authentication Profile. More information regarding this Profile, as well as the fulltext of the document, can be obtained from the web at http://www.tagpma.org/files/Final_MICS_Profile_MXCity.pdf and at the EUGridPMA and TAGPMA web sites, specifically http://www.tagpma.org/authn_profiles ========================================================================= 2. New IGTF distribution version 1.16 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.16, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.15 to 1.16 ------------------------- (8 August 2007) * A new profile for Member-Integrated Credential Services (MICS), has been defined by the IGTF. A policy nstallation bundle for authorities accredited under the MICS profile has been added to the distribution. Please refer to the IGTF web site at http://www.gridpma.org/ for a description of the MICS profile. * Corrected namespaces for for APAC CA (AU) * Added REUNA CA as a classic CA (CL) * Added NCSA-MICS and NCSA-SLCS CAs (US) * Added Ecole polytechnique federale de Lausanne to SWITCH namespace (CH) * Added new KISTI (2007) classic CA (KR) * Added Latin American and Caribbean Catch-all Grid CA (TAGPMA) * Obsoleted expired UKeScience (01621954) Root CA (GB) * Obsoleted expired HellasGrid-old (efe78092) Root CA (GR) * some new roots added to the worthless area (these are not accredited CAs!) This release re-introduces a new KISTI CA (Korea), based on a new procedures and a new root certificate and keypair. For clarity, the brief name of the CA has been changed to "KISTI-2007". This CA replaces the old KISTI CA that was withdrawn in the 1.10 release. The new NCSA-MICS CA has been accredited under the new MICS Profile. To install this CA via a policy bundle, you MUST install the new policy bundle "ca_policy_igtf-mics" manually, or specify --with-profile=mics explicitly in your build commands. A simple upgrade of the existing profile set ("classic" and "slcs") will NOT trigger the installation of the new MICS bundle and the NCSA-MICS CA. You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the CA RPMs is to be expected in September 2007. ========================================================================= Please remember new location of distribution "dist.eugridpma.info" ========================================================================= The trust anchor distribution is served by a separate, stand-alone system that serves only this static content: https://dist.eugridpma.info/distribution/ with deep-redirection provided from the old download location. The trust anchors in the distribution directory continue are digitally signed with the EUGridPMA PGP key "3" (see details at the end of this newsletter). *** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS *** ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.16-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.16" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.16.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.16.tar.gz igtf-preinstalled-bundle-slcs-1.16.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.16.jks" in the "accredited/jks/" sub-directory (also for -slcs). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

New IGTF distribution version 1.15 available
by David Groep 09 Jul '07

09 Jul '07

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New IGTF distribution version 1.15 available We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.15 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.15, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ or https://dist.eugridpma.info/distribution/igtf/1.15/ and this repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Changes from 1.14 to 1.15 ------------------------- (9 July 2007) * Temporarily removed ASGCC CA 2007 root certificate (TW) On the ASGCCCA-2007: This authority has been temporarily withdrawn on the request of the ASGCCCA managers, since the root certificate distributed with the 1.14 release (in which it was introduced) has revealed inconsistencies in the way some (grid) software implementations handle the representation of the directory name. These inconsistencies were most eminent in the parsing of the issuer directory name used in the ASGCCA-2007 root certificate. A new root certificate, using a different subject and issuer name, will be re-introduced in the next IGTF release (1.16). In the mean time, subscribers will continue to the use the existing "ASGCCA" CA (with c_name hash a692434d). There are NO issues with the a692434d root certificate; there is no change is status related to the pre-1.15 ASGCC authority. You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Next Release ------------ The next release of the CA RPMs is to be expected in September 2007. ========================================================================= Please remember new location of distribution "dist.eugridpma.info" ========================================================================= The trust anchor distribution is served by a separate, stand-alone system that serves only this static content: https://dist.eugridpma.info/distribution/ with deep-redirection provided from the old download location. The trust anchors in the distribution directory continue are digitally signed with the EUGridPMA PGP key "3" (see details at the end of this newsletter). *** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS *** ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.15-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.15" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.15.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.15.tar.gz igtf-preinstalled-bundle-slcs-1.15.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.15.jks" in the "accredited/jks/" sub-directory (also for -slcs). APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce