Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Authentication Profile "Member Integrated Credential Services"
(MICS) introduced
2. New IGTF distribution version 1.16 available with many changes
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. Authentication Profile "Member Integrated Credential Services"
(MICS) introduced
=========================================================================
The International Grid Trust Federation has approved a new Authentication
Profile against which issuing authorities will be accredited. A MICS is
an automated system to issue X.509 formatted identity assertions based on
pre- existing identity data maintained by a federation or large
organization – the end-entity certificate is thus based on a membership
or authentication system maintained by the organization or federation.
The goal is to leverage any existing, well-established identity
management system to generate X.509
certificates fully compatible with
those issued under the Classic Authentication Profile.
More information regarding this Profile, as well as the fulltext of the
document, can be obtained from the web at
http://www.tagpma.org/files/Final_MICS_Profile_MXCity.pdf
and at the EUGridPMA and TAGPMA web sites, specifically
http://www.tagpma.org/authn_profiles
=========================================================================
2. New IGTF distribution version 1.16 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.16,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
Changes from 1.15 to 1.16
-------------------------
(8 August 2007)
* A new profile for Member-Integrated Credential Services (MICS), has
been defined by the IGTF. A policy nstallation bundle for authorities
accredited under the MICS profile has been added to the distribution.
Please refer to the IGTF web site at http://www.gridpma.org/ for a
description of the MICS profile.
* Corrected namespaces for for APAC CA (AU)
* Added REUNA CA as a classic CA (CL)
* Added NCSA-MICS and NCSA-SLCS CAs (US)
* Added Ecole polytechnique federale de Lausanne to SWITCH namespace (CH)
* Added new KISTI (2007) classic CA (KR)
* Added Latin American and Caribbean Catch-all Grid CA (TAGPMA)
* Obsoleted expired UKeScience (01621954) Root CA (GB)
* Obsoleted expired HellasGrid-old (efe78092) Root CA (GR)
* some new roots added to the worthless area (these are not accredited CAs!)
This release re-introduces a new KISTI CA (Korea), based on a new procedures
and a new root certificate and keypair. For clarity, the brief name of the
CA has been changed to "KISTI-2007". This CA replaces the old KISTI CA that
was withdrawn in the 1.10 release.
The new NCSA-MICS CA has been accredited under the new MICS Profile. To
install this CA via a policy bundle, you MUST install the new policy
bundle "ca_policy_igtf-mics" manually, or specify --with-profile=mics
explicitly in your build commands. A simple upgrade of the existing
profile set ("classic" and "slcs") will NOT trigger the installation of
the new MICS bundle and the NCSA-MICS CA.
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
The download repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Next Release
------------
The next release of the CA RPMs is to be expected in September 2007.
=========================================================================
Please remember new location of distribution "dist.eugridpma.info"
=========================================================================
The trust anchor distribution is served by a separate, stand-alone
system that serves only this static content:
https://dist.eugridpma.info/distribution/
with deep-redirection provided from the old download location.
The trust anchors in the distribution directory continue are digitally
signed with the EUGridPMA PGP key "3" (see details at the end of this
newsletter).
*** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS ***
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.16-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.16" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.16.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.16.tar.gz
igtf-preinstalled-bundle-slcs-1.16.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.16.jks" in the "accredited/jks/"
sub-directory (also for -slcs).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New IGTF distribution version 1.15 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New IGTF distribution version 1.15 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.15,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
or
https://dist.eugridpma.info/distribution/igtf/1.15/
and this repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Changes from 1.14 to 1.15
-------------------------
(9 July 2007)
* Temporarily removed ASGCC CA 2007 root certificate (TW)
On the ASGCCCA-2007:
This authority has been temporarily withdrawn on the request of the
ASGCCCA managers, since the root certificate distributed with the 1.14
release (in which it was introduced) has revealed inconsistencies in
the way some (grid) software implementations handle the representation
of the directory name.
These inconsistencies were most eminent in the parsing of the issuer
directory name used in the ASGCCA-2007 root certificate.
A new root certificate, using a different subject and issuer name, will
be re-introduced in the next IGTF release (1.16). In the mean time,
subscribers will continue to the use the existing "ASGCCA" CA (with
c_name hash a692434d). There are NO issues with the a692434d root
certificate; there is no change is status related to the pre-1.15 ASGCC
authority.
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in September 2007.
=========================================================================
Please remember new location of distribution "dist.eugridpma.info"
=========================================================================
The trust anchor distribution is served by a separate, stand-alone
system that serves only this static content:
https://dist.eugridpma.info/distribution/
with deep-redirection provided from the old download location.
The trust anchors in the distribution directory continue are digitally
signed with the EUGridPMA PGP key "3" (see details at the end of this
newsletter).
*** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS ***
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.15-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.15" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.15.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.15.tar.gz
igtf-preinstalled-bundle-slcs-1.15.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.15.jks" in the "accredited/jks/"
sub-directory (also for -slcs).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New IGTF distribution version 1.14 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
Please remember new location of distribution "dist.eugridpma.info"
=========================================================================
The trust anchor distribution is served by a separate, stand-alone
system that serves only this static content:
http://dist.eugridpma.info/distribution/
with deep-redirection provided from the old download location.
The trust anchors in the distribution directory continue are digitally
signed with the EUGridPMA PGP key "3" (see details at the end of this
newsletter).
*** PLEASE UPDATE YOUR DOWNLOAD LOCATIONS ***
=========================================================================
1. New IGTF distribution version 1.14 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.14,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
or
https://dist.eugridpma.info/distribution/igtf/1.14/
and this repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Changes from 1.13 to 1.14
-------------------------
(1 June 2007)
* Discontinued the expired GridCanada-old CA with hash 5f54f417 (CA)
* APAC CA signing policy now als covers BeSTGRID in New Zealand (AU)
* AEGIS (Serbia) CA added (RS)
* New organisations added for SWITCH Classic CA (CH)
* DutchGrid robot certificates added to signing namespace (NL)
* Added CA with new keypair for ASGCC CA during roll-over "ASGCC-2007" (TW)
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in July 2007.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.14-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.14" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.14.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.14.tar.gz
igtf-preinstalled-bundle-slcs-1.14.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.14.jks" in the "accredited/jks/"
sub-directory (also for -slcs).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New IGTF distribution version 1.13 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
Please remember new location of distribution "dist.eugridpma.info"
=========================================================================
The trust anchor distribution is now primarily served by a separate,
stand-alone system that serves only this static content:
http://dist.eugridpma.info/distribution/
The trust anchors in the distribution directory continue are digitally
signed with the same EUGridPMA PGP key "3" (see details in this mail)
=========================================================================
1. New IGTF distribution version 1.13 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.13,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
or
https://dist.eugridpma.info/distribution/igtf/1.13/
and this repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Changes from 1.12 to 1.13
-------------------------
(13 March 2007)
* Added BG.ACAD CA accredited under the classic profile (BG)
* Added SWITCHaai SLCS and (classic) Root CA (CH)
NOTE: the SWITCHaai SLCS CA is included in the ca_policy_igtf-slcs bundle
* Extended lifetime of CyGrid CA to 2013 based on same key pair (CY)
* Updated ArmeSFO CA root certificate following TACAR (AM)
* Discontinued old (pre-2004) LIP CA (PT)
* Extended lifetime of NorduGrid CA for 2 years (DK)
* Added TERENA SCS CA hierarchy to the "worthless" area. Please note
that the SCS CA has not been accredited yet (EU)
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in March 2007.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.13-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.13" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.13.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.13.tar.gz
igtf-preinstalled-bundle-slcs-1.13.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.13.jks" in the "accredited/jks/"
sub-directory (also for -slcs).
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New IGTF distribution version 1.12 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
Please remember new location of distribution "dist.eugridpma.info"
=========================================================================
Since release 1.11, the trust anchor distribution is served by a separate,
stand-alone system that serves only this static content:
http://dist.eugridpma.info/distribution/
Deep-redirection is provided from the old download location (formerly
at http://www.eugridpma.org/distribution/) to the new one at
http://dist.eugridpma.info/distribution/
so all old links will continue to work as expected.
The trust anchors in the distribution directory continue to be digitally
signed with the same EUGridPMA PGP key (see details at the end of this
newsletter).
*** PLEASE UPDATE THE DOWNLOAD LOCATIONS ***
=========================================================================
1. New IGTF distribution version 1.12 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.12,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
or
https://dist.eugridpma.info/distribution/igtf/1.12/
and this repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Changes from 1.11 to 1.12
-------------------------
(09 February 2006)
* Extended life time of root certificate for SlovakGrid (SK)
* Obsoleted Russian DataGrid CA also in RPM updates (RU)
* Fixed SHA-1 finger print for new SiGNET CA (SI)
* Add NECTEC GOC CA (TH)
* Added SWITCH Personal and Server 2007 CAs, removed 2005 CAs (CH)
* Extended life time of root certificate for PolishGrid (PL)
* Changed CRL URL of the NAREGI CA from https to http (JP)
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in March 2007.
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.12-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When the KCA has
been accepted by the TAGPMA, the location of this authority will change.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.12" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.12.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.12.tar.gz
igtf-preinstalled-bundle-slcs-1.12.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.12.jks" in the "accredited/jks/"
sub-directory.
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
From: David Groep <info(a)eugridpma.org>
Date: Thu, 11 January 2007 10:00:00 +0200
Subject: New IGTF distribution version 1.11 available
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Location of distribution site changed to dist.eugridpma.info
2. New IGTF distribution version 1.11 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. Location of distribution site changed to dist.eugridpma.info
=========================================================================
In order to increase reliability and improve fault containment, the
EUGridPMA web site and distribution location has been changed. From now
on, the trust anchor distribution is served by a separate, stand-alone
system that serves only this static content:
http://dist.eugridpma.info/distribution/
Deep-redirection is provided from the old download location (formerly at
http://www.eugridpma.org/distribution/) to the new one at
http://dist.eugridpma.info/distribution/
so all old links will continue to work as expected.
The trust anchors in the distribution directory continue to be digitally
signed with the EUGridPMA PGP key (see details at the end of this
newsletter).
*** PLEASE UPDATE THE DOWNLOAD LOCATIONS ***
Why a new top-level domain name?
A new top-level domain (.info) has been chosen to host the static
distribution content of the EUGridPMA. This should better guards against
rash and inappropriate actions of the ".org" TLD operator (Enom, Inc.)
when faced with issues on the eugridpma.org web site (which, due to the
fact that it also hosts dynamic and interactive content, is inherently
more prone to compromise and computer security incidents).
Since the web sites within the "eugridpma.info" domain only serve
static content, and are hosted on a dedicated system, a compromise of
these systems is expected to be less likely. Since the .info TLS
is operated by a different company (Afilias Ltd.), this is expected
to provide an additional level of certainty.
In case of trouble with either TLD, the eugridpma.org or .info site will
be made available through the other TLD.
=========================================================================
2. New IGTF distribution version 1.11 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.10,
release 1, and it is now available for download from the Repository at
https://dist.eugridpma.info/distribution/igtf/current/
or
https://dist.eugridpma.info/distribution/igtf/1.11/
and this repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Changes from 1.10 to 1.11
------------------------
(11 January 2007)
* updated signing policy files for SWITCH CA (CH)
* change crl_url from https to http for KEK (JP)
* change crl_url from https to http for AIST (JP)
* extended lifetime of ESnet (+10y) and DoEGrids (+5y) CA certs (US/DoE)
* withdrawn Russian DataGrid CA (has been superseded by RDIG) (RU)
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in February 2007 (of
course barring special circumstances).
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.11-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When the KCA has
been accepted by the TAGPMA, the location of this authority will change.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.11" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.11.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.11.tar.gz
igtf-preinstalled-bundle-slcs-1.11.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.11.jks" in the "accredited/jks/"
sub-directory.
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://dist.eugridpma.info/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Fetch-CRL utility updated to version 2.6.1
at http://www.eugridpma.org/distribution/util/fetch-crl/
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. Fetch-CRL utility updated to version 2.6.1
=========================================================================
As a courtesy service to the community, the EUGridPMA provides the
"fetch-crl" utility - originally developed by Fabio Hernandez, CC-IN2P3 -
to periodically retrieve CRLs from the web sites of the certification
authorities.
An updated release of this utility is now available, that fixes issues
related to localtime vs. UTC comparisons, and provides several new
features and usability enhancements.
Changes in version EGP 2.6.1
----------------------------
(2006.10.25)
* fixed local timezone vs UTC error in LastUpdate CRL validation comparison
* fixed time comparison is the one-hour LastUpdate/download tolerance
(both fixes thanks to Alain Roy)
* added support for directory names containing whitespace
* added support for syslog reporting (via -f option or SYSLOGFACILITY directive)
* SERVERCERTCHECK=no is now the default. It can be reset via the configuration
file, or using the "--check-server-certificate" commandline option
* the main configuration file location (formerly fixed to be
/etc/sysconfig/fetch-crl) can now be set via the variable $FETCH_CRL_SYSCONFIG
* logfile format timestamp and tag have been normalised
The new version is now available from the EUGridPMA web site at:
http://www.eugridpma.org/distribution/util/fetch-crl/
in RedHat Package Management (RPM) and gzipped-tarball format.
NOTE: the new version will by default ignore unknown web server certificates
when downloading CRLs. To revert to the "old" behaviour, use the
"--check-server-certificate" commandline option, or set SERVERCERTCHECK=yes
in the main configuration file/
Installation that use YUM package management can add
http://www.eugridpma.org/distribution/util/
to their yum.conf file and upgrade in that way.
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New IGTF distribution version 1.10 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New IGTF distribution version 1.10 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.10,
release 1, and it is now available for download from the Repository at
https://www.eugridpma.org/distribution/igtf/current/
or
https://www.eugridpma.org/distribution/igtf/1.10/
and this repository is also mirrored by the APGridPMA at
https://www.apgridpma.org/distribution/igtf/current
Changes from 1.9 to 1.10
------------------------
(17 October 2006)
* New public web page for the BEGrid CA in metadata info file (BE)
* New contact email addresses for:
HellasGrid and SEE-GRID (GR, SEE), INFN CA (IT), Grid-Ireland (IE),
DOEGrids CA (US/DOE), ASGCCA (TW), APAC (AU)
* New CERN CA added (root and on-line CA), managed by CERN IT/IS (CERN)
* New INFN CA issue 2006 to replace current one (expiring 2007) (IT)
* Retired SWITCH-SSSR hierarchy pending replacement of the tree (CH)
* Added new organisations to the SWITCH namespace (CH)
* Removed KISTI CA (KR)
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in November 2006 (of
course barring special circumstances).
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.10-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When the KCA has
been accepted by the TAGPMA, the location of this authority will change.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.10" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.10.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.10.tar.gz
igtf-preinstalled-bundle-slcs-1.10.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.10.jks" in the "accredited/jks/"
sub-directory.
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://www.eugridpma.org/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://www.eugridpma.org/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Impact of OpenSSL RSA key handling vulnerability (CVE-2006-4339)
and the EUGridPMA accredited CAs
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at http://www.eugridpma.org/
=========================================================================
1. Impact of OpenSSL RSA key handling vulnerability (CVE-2006-4339)
=========================================================================
Recently, a vulnerability has been identified in OpenSSL, which could
be exploited by attackers to bypass security restrictions. This flaw is
due to an error when handling and verifying RSA keys with exponent 3,
which could be exploited by attackers to forge PKCS #1 v1.5 signatures
and bypass security verifications.
This affects only OpenSSL 0.9.7j and prior and OpenSSL 0.9.8b and prior.
(see http://www.frsirt.com/english/advisories/2006/3453)
In order to aid relying parties in the risk assessment, the EUGridPMA
has requested an investigation of all certificates issues by any of the
Certification Authorities accredited by the PMA, to see if any of these
have issued certificates based on an RSA key with public exponent 3. All
authorities have completed the audit and provided their findings to the PMA.
In the review, 12 certificates were found for which the exponent of the
RSA public key is 3:
- the INFN CA (covering Italy) has issued in total 10 certificates with
exponents 3, 5, or 7, of which 6 are still valid. In all these
cases, the certificates were issues to Cisco VPN hardware equipment.
The INFN CA is currently investigating whether these Cisco VPN systems
are able to generate key pairs with another exponent.
All other certificates were based on a key pair with exponent 65537
- the SWITCH Server CA (covering Switzerland) has issued 1 (one)
certificate with exponent 3, also issued to a Cisco VPN system, which
has since expired.
All active certificates from any SWITCH CA have exponents different
from 3.
- the UK e-Science CA (covering the UK) has issued 1 (one) certificate
with exponent 3, which has since expired.
All active certificates from the UK e-Science CA have exponent 65537.
All other accrdited CAs have reported that all their certificates are
based on RSA key pairs with exponent 65537 (and these certificates are
thus not affected by this vulnerability):
CyGrid (Cyprus)
IUCC (Israel)
NorduGrid (Denmark, Sweden, Normay, Finland, Iceland)
DataGrid-ES (Spain)
BEGrid (Belgium)
SiGNET (Slovenia)
EstonianGrid (Estonia)
SWITCH (Switzerland)
NIIF/Hungarnet (Hungary)
BalticGrid (Estonia, Latvia, Lithuania)
CERN (CERN)
ArmeSFO (Armenia)
CNRS Grid-FR (France and catch-all)
CESNET (Czech republic)
DutchGrid (The Netherlands)
GermanGrid (Germany, FZK)
HellasGrid (Greece)
Grid-Ireland (Republic of Ireland)
PolishGrid (Poland)
LIP (Portugal)
Russian DataGrid (Russia)
SlovakGrid (Slovakia)
DoEGrids (USA and LCG catch-all)
Grid-PK (Pakistan)
SEE-GRID Regional (South East European regional catch-all)
AustrianGrid (Austria)
DFN (Germany)
RDIG (Russia)
TR-Grid (Turkey)
pkIRISGrid (Spain)
SRCE (Croatia)
GridCanana (Canada)
CAs have implemented measures to prevent signing of such key pairs
where possible. The INFN CA is currently investigating whether the
Cisco VPN systems can generate key pairs with another exponent, but
in that case the certificates are not usually used in a Grid context
in combination with OpenSSL.
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. New IGTF distribution version 1.9 available
We hope that you find this update useful and welcome any comments you
may have. Also, feel free to redistribute this information widely as
you see appropriate.
Regards,
David Groep
For more information about this newsletter and the mailing list,
please refer to the EUGridPMA web site at https://www.eugridpma.org/
=========================================================================
1. New IGTF distribution version 1.9 available
=========================================================================
A new distribution of Accredited Authorities by the EUGridPMA, based
on the IGTF Common Source, is now available. It includes the newly
accredited Authorities by all IGTF Members. This is version 1.9,
release 1, and it is now available for download from the Repository at
https://www.eugridpma.org/distribution/igtf/current/
or
https://www.eugridpma.org/distribution/igtf/1.9/
Changes from 1.8 to 1.9
-----------------------
(11 September 2006)
* New SiGNET CA (with 2048-bit key length) and new Subject DN (SI)
* New HellasGrid CA (both Root and EE) issue 2006 added (GR)
* Modified CINC Root and CINC SDC CA certificate extensions:
removed SubjectAltName and IssuerAltName. (CN)
* Updated extendedKeyUsage and nsCertType extension in AustrianGrid CA (AT)
You can download the new packages and install them at your convenience.
If you part of a coordinated-deployment project (such as OSG, EGEE, LCG,
DEISA, NAREGI or others) you may want to await your project announcement
before installing this release.
Next Release
------------
The next release of the CA RPMs is to be expected in October 2006 (of
course barring special circumstances).
=========================================================================
STANDARD CLAUSES AND REPEATED NOTICES: Distribution information
=========================================================================
Notice on directory structure
-----------------------------
*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED
USING THE ca_policy_igtf-classic-1.9-1.noarch.rpm ARE ACCREDITED
Do *not* install certificates from the "worthless/" or "experimental/",
directories, except if you yourself review and accept their policy and
practice statement. The EUGridPMA provides these certificates in
this format for your convenience only, and to allow graceful changeover
for legacy installations.
*** The Fermilab Kerberized CA, although not an accredited CA according
to the "classic" profile, has been available from the EUGridPMA
repository before in the "others/" directory. Due to the reorganization,
this authority has moved to the "experimental/" area. When the KCA has
been accepted by the TAGPMA, the location of this authority will change.
*** All individual CAs packages, as well as the bundles, have the same
(common) version number "1.9" and release "1".
Distribution formats
--------------------
* the distribution traditionally contained a set of RPMs and tar-balls
per accredited authorities, as well as meta-RPMs that depends on the RPMs
of those accredited.
* the "tar-bundle" that can be used to install the authorities in a
local trust directory using the "./configure && make install"
mechanism has been renamed to avoid confusion. It is called:
igtf-policy-installation-bundle-1.9.tar.gz
It has the same functionality and can still be found in the
"accredited/" subdirectory.
* the accredited directory now contains two additional tar-balls that
contain, respectively, *all* "classic" and "slcs" accredited CAs:
igtf-preinstalled-bundle-classic-1.9.tar.gz
igtf-preinstalled-bundle-slcs-1.9.tar.gz
(note there are no SLCS-accredited authorities at this time)
* those CAs whose key-length is less than 4095 bits are also
available in a Java KeyStore (JKS), whose password is "eugridpma".
These is both a JKS for each individual CA, as well as a
"igtf-policy-accredited-classic-1.9.jks" in the "accredited/jks/"
sub-directory.
APT and Yum
-----------
As always, the repository is suitable for "yum" based automatic updates,
by adding to the yum.conf file:
[eugridpma]
name=EUGridPMA
baseurl=http://www.eugridpma.org/distribution/igtf/current/
gpgcheck=1
Also "apt" is supported. For details, see
http://www.eugridpma.org/distribution/igtf/current/apt/README.txt
Large deployment projects are kindly requested to mirror these directories
in their own distribution repositories.
RPM GPG signing
---------------
Also this new RPM distribution is distributed with GPG-signed RPMs. The
key (ID 3CDBBC71) has been uploaded to the public key servers, along with
my signature as the EUGridPMA Chair (keyID 6F298418). The key is also
contained in the repository. You will need this key if you enable GPG
checking for automatic updates in "yum" or "apt".
Please remember to validate this distribution against the TACAR
trusted repository (https://www.tacar.org/) where possible.
Suggestions
-----------
If you have suggestions or improvements for the distribution format,
to have it better suit your needs, please contact the PMA at
<info(a)eugridpma.org>. Note that there is be a common distribution format
across the entire IGTF (i.e. all three PMAs).
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **