eugridpma-announce

eugridpma-announce@nikhef.nl

162 discussions

New IGTF distribution version 1.8 available
by David Groep 07 Aug '06

07 Aug '06

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New IGTF distribution version 1.8 available We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.8 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.8, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/current/ or https://www.eugridpma.org/distribution/igtf/1.8/ Changes from 1.7 to 1.8 ----------------------- * added O=Universitaet St. Gallen to the list of SWITCH Organisations (CH) * added newly accredited CINC Root CA and CINC SDC Grid CA (CN) * added new root certificate for the NAREGI CA (JP) You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Next Release ------------ The next release of the CA RPMs is to be expected in September 2006 (of course barring special circumstances). ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.8-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.8" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.8.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.8.tar.gz igtf-preinstalled-bundle-slcs-1.8.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.8.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Re: [eugridpma-announce] [apgrid-pma:01195] [igtf-general] New IGTF distribution version 1.7 available
by David Groep 26 Jul '06

26 Jul '06

Hi David, all, David Bannon wrote: > Hmm, as in the past, the new bundle appears to contain sites whose CRLs > are not available as indicated. This release seems to have added one > more, ba2f39ca.r0 That one was already in the list :-) Anyway, the following CAs are involved: 617ff41b: alias = KEK this one serves it from https, but it is available. If one uses for example a recent version of "fetch-crl" (v2.5.1+), with the appropriate "-n" option, it will be downloaded correctly. b38b4d8c: alias = Globus-CA-service This CA is NOT part of the accredited fabric, and is not in the accredited/ directory either (but in "Worthless", with some disclaimers). ba2f39ca: alias = IHEP Also uses https, as discussed. e1fce4e9: alias = FNAL_KCA This is a non-accredited experimental kCA, which, being a SLCS, will never issue CRLs (since that does not make sense for a SLCS). The .info file does not contain a crl_url and there is no .crl_url file in the distribution either -- so do download attempts should be made. There was a problem yesterday that the CRL for the new UKeScience off-line Root was not available. Since, the appropriate number of people have gotten together so that a quorum was present to generate the CRL (2 our of 3 is needed). I've seen no errors since this morning for UKeScience. > > >>617ff41b.r0 >>b38b4d8c.r0 >>ba2f39ca.r0 >>e1fce4e9.r0 > > >>From one point of view, all this means is that we are adding more > entries in our error logs but I suggest its more important than that. Do > others agree ? As far as the https:// CRLs are concerned, it would help quite a lot to change over to plain http, if only to reduce the general confusion out there in the wild ;-) Hope this helps a bit, Cheers, DavidG. > > David > > > > > On Mon, 2006-07-24 at 14:13 +0200, David Groep wrote: > >>Dear CAs, Relying Parties, Users, and all others interested, >> >>In this announcement of the EUGridPMA: >> >> 1. New IGTF distribution version 1.7 available >> >>We hope that you find this update useful and welcome any comments you >>may have. Also, feel free to redistribute this information widely as >>you see appropriate. >> >> Regards, >> David Groep >> >>For more information about this newsletter and the mailing list, >>please refer to the EUGridPMA web site at https://www.eugridpma.org/ >> >> >>========================================================================= >>1. New IGTF distribution version 1.7 available >>========================================================================= >> >> >>A new distribution of Accredited Authorities by the EUGridPMA, based >>on the IGTF Common Source, is now available. It includes the newly >>accredited Authorities by all IGTF Members. This is version 1.7, >>release 1, and it is now available for download from the Repository at >> >> https://www.eugridpma.org/distribution/igtf/current/ >>or >> https://www.eugridpma.org/distribution/igtf/1.7/ >> >>You can download the new packages and install them at your convenience. >>If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, >>DEISA, NAREGI or others) you may want to await your project announcement >>before installing this release. >> >>Changes from 1.6 to 1.7: >> >> * removed CESNET-old from accredited list and obsoleted in RPM >> distribution >> * Added new accredited SRCE (Croatia) classic CA >> * Added new accredited BrGrid (Brazil) classic CA >> * New root and online CA certificates for updated UKeScience CA >> >> >>A summary of changes can also be found in the distribution. >> >> >>Next Release >>------------ >>The next release of the CA RPMs is to be expected in August 2006 (of course >>barring special circumstances). >> >> >> >>========================================================================= >>STANDARD CLAUSES AND REPEATED NOTICES: Distribution information >>========================================================================= >> >>Notice on directory structure >>----------------------------- >>*** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED >> USING THE ca_policy_igtf-classic-1.7-1.noarch.rpm ARE ACCREDITED >> >> Do *not* install certificates from the "worthless/" or "experimental/", >> directories, except if you yourself review and accept their policy and >> practice statement. The EUGridPMA provides these certificates in >> this format for your convenience only, and to allow graceful changeover >> for legacy installations. >> >>*** The Fermilab Kerberized CA, although not an accredited CA according >> to the "classic" profile, has been available from the EUGridPMA >> repository before in the "others/" directory. Due to the reorganization, >> this authority has moved to the "experimental/" area. When the KCA has >> been accepted by the TAGPMA, the location of this authority will change. >> >>*** All individual CAs packages, as well as the bundles, have the same >> (common) version number "1.7" and release "1". >> >> >>Distribution formats >>-------------------- >>* the distribution traditionally contained a set of RPMs and tar-balls >> per accredited authorities, as well as meta-RPMs that depends on the RPMs >> of those accredited. >> >>* the "tar-bundle" that can be used to install the authorities in a >> local trust directory using the "./configure && make install" >> mechanism has been renamed to avoid confusion. It is called: >> igtf-policy-installation-bundle-1.7.tar.gz >> It has the same functionality and can still be found in the >> "accredited/" subdirectory. >> >>* the accredited directory now contains two additional tar-balls that >> contain, respectively, *all* "classic" and "slcs" accredited CAs: >> igtf-preinstalled-bundle-classic-1.7.tar.gz >> igtf-preinstalled-bundle-slcs-1.7.tar.gz >> (note there are no SLCS-accredited authorities at this time) >> >>* those CAs whose key-length is less than 4095 bits are also >> available in a Java KeyStore (JKS), whose password is "eugridpma". >> These is both a JKS for each individual CA, as well as a >> "igtf-policy-accredited-classic-1.7.jks" in the "accredited/jks/" >> sub-directory. >> >> >>APT and Yum >>----------- >>As always, the repository is suitable for "yum" based automatic updates, >>by adding to the yum.conf file: >> >> [eugridpma] >> name=EUGridPMA >> baseurl=http://www.eugridpma.org/distribution/igtf/current/ >> gpgcheck=1 >> >>Also "apt" is supported. For details, see >> http://www.eugridpma.org/distribution/igtf/current/apt/README.txt >> >>Large deployment projects are kindly requested to mirror these directories >>in their own distribution repositories. >> >> >>RPM GPG signing >>--------------- >>Also this new RPM distribution is distributed with GPG-signed RPMs. The >>key (ID 3CDBBC71) has been uploaded to the public key servers, along with >>my signature as the EUGridPMA Chair (keyID 6F298418). The key is also >>contained in the repository. You will need this key if you enable GPG >>checking for automatic updates in "yum" or "apt". >>Please remember to validate this distribution against the TACAR >>trusted repository (https://www.tacar.org/) where possible. >> >> >>Suggestions >>----------- >>If you have suggestions or improvements for the distribution format, >>to have it better suit your needs, please contact the PMA at >><info(a)eugridpma.org>. Note that there is be a common distribution format >>across the entire IGTF (i.e. all three PMAs). >> >> -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New IGTF distribution version 1.7 available
by David Groep 24 Jul '06

24 Jul '06

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New IGTF distribution version 1.7 available We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New IGTF distribution version 1.7 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.7, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/current/ or https://www.eugridpma.org/distribution/igtf/1.7/ You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Changes from 1.6 to 1.7: * removed CESNET-old from accredited list and obsoleted in RPM distribution * Added new accredited SRCE (Croatia) classic CA * Added new accredited BrGrid (Brazil) classic CA * New root and online CA certificates for updated UKeScience CA A summary of changes can also be found in the distribution. Next Release ------------ The next release of the CA RPMs is to be expected in August 2006 (of course barring special circumstances). ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.7-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.7" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.7.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.7.tar.gz igtf-preinstalled-bundle-slcs-1.7.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.7.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

IGTF CA URGENT UPDATE distribution 1.6
by David Groep 20 Jun '06

20 Jun '06

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. URGENT UPDATE to new distribution 1.6 We apologize for this upgrade, so quickly after the update to 1.5. Please review the entire CHANGES file at the location below to see the changes with respect to the 1.4 release: http://www.eugridpma.org/distribution/igtf/current/CHANGES We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. URGENT UPDATE to new distribution 1.6 ========================================================================= An internal audit of the NAREGI CA has shown that the key length of the NAREGI CA's root certificate is not 2048 bit but 1024 bit. This problem was found by their internal assessment and ascertained that it was due to a miss operation (configuration) at the time of the key generation. For this reason, the current NAREGI CA root certificate is being withdrawn from the distribution. The new 1.6 release no longer contains this CA, and the RPM packaging thereof obsoletes the ca such that automatic upgrades using YUM or APT will de-install the 1024-bits NAREGI CA. A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.6, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/current/ or https://www.eugridpma.org/distribution/igtf/1.6/ You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Modified accredited CAs: NAREGI CA Withdrawn from the distirbution A detailed summary of changes can also be found in the distribution. Next Release ------------ The next release of the CA RPMs is to be expected in July 2006, (of course barring special circumstances). ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.6-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.5" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.6.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.5.tar.gz igtf-preinstalled-bundle-slcs-1.5.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.5.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

IGTF (EUGridPMA) CA distribution 1.5 and updates
by David Groep 19 Jun '06

19 Jun '06

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New distribution 1.5 available with various updates We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution (1.5) with various updates ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.5, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/current/ or https://www.eugridpma.org/distribution/igtf/1.5/ You can download the new packages and install them at your convenience. PLEASE NOTE: If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Modified accredited CAs: Russia RDIG New CRL download location GermanGrid CA Extended root certificate lifetime (would have expired June 10, 2007) Grid-Ireland Extended root certificate lifetime (would have expired July 27, 2007) ASGCC CA no longer authoritative for /C=CN/O=IHEP AIST CA modified extensions in root certificate SWITCH list of organisations (namespace) updated A detailed summary of changes can also be found in the distribution. Next Release ------------ The next release of the CA RPMs is to be expected in July 2006, (of course barring special circumstances). ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.5-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.5" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.5.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.5.tar.gz igtf-preinstalled-bundle-slcs-1.5.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.5.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New version of "fetch-crl" available and selected CRL issues
by David Groep 20 May '06

20 May '06

From: David Groep <info(a)eugridpma.org> Date: Tue, 20 May 2006 12:00:00 +0200 Subject: New version of "fetch-crl" available and selected CRL issues Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Clock skew problem with HellasGrid and SEE-GRID CAs resolved 2. Fetch-CRL utility updated to deal with CRLs issued in the future We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. Clock skew problem with HellasGrid and SEE-GRID CAs resolved ========================================================================= The following information is provided courtesy of the HellasGrid and SEE-GRID-Catch-all Authorities: A problem came into our attention regarding all the CRLs issued by both HellasGrid and SEE-GRID CA starting from 5/5/2006. For an unknown reason there was a clock skew of the computer running the CA off-line services which resulted in setting the clock 23 days forward in the future. [...] The result was that CRLs were issued and published with the last update field having the date 28 May. We have generated a new CRL with the current date that will fix the problem [..], but a new [...] problem has been introduced. The [previous version of] edg-fetch-crl, used by many Grid sites, performs a check on the value of the last update field and refuses to download a CRL that has a date older than the currently installed CRL (logging an error via syslog). This problem has been resolved as of May 19th, 11:26 hrs GMT. In order for this new CRL to be correctly processed by the fetch-crl utility, which is provided as a service by (amongst others) the EUGridPMA, relying parties that use this version of fetch-crl should upgrade to the latest version. Unless you upgrade to the new version of fetch-crl, the new, correct, CRLs for the HellasGrid and SEE-GRID CAs will NOT be retrieved. Please see section 2 of this announcement for details. [thanks to Christos Kanellopoulos for the analysis of this issue] ========================================================================= 2. Fetch-CRL utility updated to deal with CRLs issued in the future ========================================================================= As a courtesy service to the community, the EUGridPMA provides the "fetch-crl" utility - originally developed by Fabio Hernandez, CC-IN2P3 - to periodically retrieve CRLs from the web sites of the certification authorities. This utility is extremely careful in not replacing CRLs that already exist locally by ones that are downloaded from the web. Versions up to and including EGP-2.5.1 are slightly too careful, and will also refuse to install a newly downloaded correct CRL if the currently installed one has a issuance date in the future. Thus, versions <= EGP-2.5.1 cannot be used to retrieve the corrected CRLs issued by the HellasGrid and SEE-GRID CAs on May 19th. A new version of fetch-crl (EGP-2.6.0) that corrects this issue, as well as adding a non-suppressable warning about newly-downloaded but not-yet-valid CRLs, is now available from the EUGridPMA web site at: http://www.eugridpma.org/distribution/util/fetch-crl/ in RedHat Package Management (RPM) and gzipped-tarball format. Changes in version EGP 2.6 -------------------------- (2006.05.20) * if the current local CRL has a lastUpdate time in the future, and the newly downloaded CRL is older that the current one, allow the installation of the newly downloaded CRL and issue a warning. * added non-suppressable warning in case the newly downloaded CRL has a lastUpdate time in the future, but install that CRL anyway (as the local clock might have been wrong). Installation that use YUM package management can add http://www.eugridpma.org/distribution/util/ to their yum.conf file and upgrade in that way. ========================================================================= Additional Information ========================================================================= Notice: The next release of the IGTF Accredited Authority distribution is expected in early June, 2006.

1 0

IGTF (EUGridPMA) CA distribution 1.4 and updates
by David Groep 16 May '06

16 May '06

From: David Groep <info(a)eugridpma.org> Date: Tue, 15 May 2006 10:00:00 +0200 Subject: IGTF (EUGridPMA) CA distribution 1.4 and updates Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New distribution 1.4 available with updated NorduGrid root certificate We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution (1.4) with new NordoGrid root certificate ========================================================================= ** Important Notice: This release 1.4 is the first release after version 1.2. There is and will not be a version 1.3 of the IGTF Release. Please see the detailed CHANGES file in the distribution for details. A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.4, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/1.4/ or https://www.eugridpma.org/distribution/igtf/current/ You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Modified accredited CAs: NorduGrid Updated root trust anchor with extended lifetime. A detailed summary of changes can be found in the distribution. Notice on directory structure ----------------------------- *** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.4-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.4" and release "1". ========================================================================= Distribution information ========================================================================= We warmly welcome your comments and suggestions to improve deployability of the CA distribution. * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.2.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.4.tar.gz igtf-preinstalled-bundle-slcs-1.4.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.4.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 and also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. ========================================================================= Next Release ========================================================================= The next release of the CA RPMs is to be expected in May 2006, (of course barring special circumstances). If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

IGTF (EUGridPMA) CA distribution 1.2 and updates
by David Groep 18 Apr '06

18 Apr '06

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New distribution IGTF 1.2 available We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution IGTF 1.2 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.2, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/1.2/ or https://www.eugridpma.org/distribution/igtf/current/ You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Modified accredited CAs: KISTI CA new email contact address pkIRISGrid re-quoted the signing_policy file for consistency SWITCH new organisation added to namespace ArmeSFO new CRL location on a dedicated sever based in Karlsruhe Suspended: SWITCH-CA2 the new SwissSign hierarchy that is based off the self-signed Silver root has been suspended, pending acceptance of the root by the WebTrust auditors. (for procedural reasons, CRLs cannot be made available by SwissSign prior to acceptance by KPMG) This will remove: ca_SwissSign-Silver-Root, ca_SWITCH-Personal2, ca_SWITCH-CA2, ca_SWITCH-Server2 A detailed summary of changes can be found in the distribution. Notice on directory structure ----------------------------- *** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.2-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.1" and release "1". ========================================================================= Distribution information ========================================================================= We warmly welcome your comments and suggestions to improve deployability of the CA distribution. * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.2.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.2.tar.gz igtf-preinstalled-bundle-slcs-1.2.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.2.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 and also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. ========================================================================= Next Release ========================================================================= The next release of the CA RPMs is to be expected in May 2006, (of course barring special circumstances). If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

EUGridPMA (IGTF) CA distribution 1.1 Release 2 UPDATE
by David Groep 22 Feb '06

22 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear CAs, Relying Parties, Users, and all others interested, After the release of distribution 1.1, I have received a number of valuable suggestions to improve the distribution format, in particular for the tar-based installation bundle. Also, the meta-RPM contained a typo that prevented the (discontinued) ca_CNRS-DataGrid to be obsoleted correctly. Therefore, a new release (R2) of this version 1.1 has been made available, containing these changes: ~ Changes from 1.1 R1 to 1.1 R2 ~ ----------------------------- ~ (22 Feb 2006) ~ NOTE: THERE ARE NO CHANGES TO THE CONTENT IN THIS SUB-RELEASE ~ * Corrected typo in the obsoletion of the old ca_CNRS-DataGrid ~ * Improved understandability of the igtf-policy-installation-bundle The igtf-policy-installation-bundle-1.1.tar.gz now contains a README.txt file with more detailed instructions and a clearer internal structure. Comments are of course always welcome. Regards, David Groep. ========================================================================= Next Release ========================================================================= The next release of the CA RPMs is to be expected around mid-March 2006, (of course barring special circumstances). If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD/DbLcnpzXG8phBgRAoK/AJ9GpTAFoE7f3CJXYaZ+Uy/qy1ofHQCeJrJJ SUMUn3QIQC/Hgm76IQYTBUc= =PA5G -----END PGP SIGNATURE-----

1 0

EUGridPMA (IGTF) CA distribution 1.1 and updates
by David Groep 20 Feb '06

20 Feb '06

From: David Groep <info(a)eugridpma.org> Date: Mon, 20 Feb 2005 15:00:00 +0100 Subject: EUGridPMA (IGTF) CA distribution 1.1 and updates Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Release frequency increase 2. New distribution 1.1 available with new authorities 3. Distribution changes and improved deployability 4. Namespace constraints policies 5. Informational services experiments from the EUGridPMA We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. Release frequency increase ========================================================================= On the request of the relying parties expressed in the IGTF and CA-OPS meetings during GGF16 in Athens, Greece, there will be more frequent releases of the IGTF distribution. In this way, changes such as CRL location changes, and newly accredited CAs, will be available to relying parties faster. In the new scheme, the maximum delay for a new distribution will be two (2) weeks after all technical information has been made available. The time to deployment of any such regular update release is left to the descretion of the relying parties. Specific security updates will be released more frequently as necessary, and should preferably be implemented as soon as possible. Such security updates will be clearly marked as such. ========================================================================= 2. New distribution (1.1) with new authorities ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.1, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/1.1/ or https://www.eugridpma.org/distribution/igtf/current/ You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. New Authorities: APAC Australian Partnership for Advanced Computing KEK High Energy Accelerator Research Organization (Japan) NAREGI National Research Grid Initiative (Japan) pkIRISGrid IRISGrid PKI (RedIRIS, Spain) Modified: GridCanada added new root certificate SWITCH new Personal and Server CA certificates SWITCH-CA2 new CA hierarchy based off the SwissSign Silver Root Discontinued: Datagrid-FR no longer contains valid end-entity certs CyGrid-old expired and replaces by "CyGrid" This release also contains various updates and corrections to the CRL download locations and the CA contact information. A detailed summary of changes can be found in the distribution. Notice on directory structure ----------------------------- *** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.0-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.1" and release "1". ========================================================================= 3. Distribution changes and improved deployability ========================================================================= We warmly welcome your comments and suggestions to improve deployability of the CA distribution. Based on some suggestions received, some changes have been implemented in this release. The distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. In this release, we add several new components. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.1.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.1.tar.gz igtf-preinstalled-bundle-slcs-1.1.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.1.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 and also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. ========================================================================= 4. Namespace constraints policies ========================================================================= The assertions by the IGTF on the compliance of the authorities only extend within the namespaces as accredited by the PMAs. This ensures that any certificate subject name corresponds to one and only one entity, and allows you to rely on this subject name for subsequent decisions. This uniqueness applies only *within the namespace constraints* set by the PMAs. For this reason, the distribution has, since its conception, contained a set of "signing_policy" files that specify exactly what subject names of each CA are subject to the IGTF assertions. On request of several middleware development projects, this very same set of namespace constraints is now also specified in a new format in a separate ".namespaces" file. There is no difference in content between these two files, but the format and interpreting semantics are different. For information regarding the new ".namespaces" file, please see http://www.eugridpma.org/documentation/ In the future, this format may yet again be extended or replaced by another format, as discussions within the Global Grid Forum continue. Your participation, via the CA-OPS Working Group, is of course welcome. ========================================================================= 5. Informational Services from the EUGridPMA ========================================================================= To better service the community, contact information of the members is made available from the EUGridPMA web site. Look under "membership" and find the web site and a link to the Policy and Practice Statements. Experimentally, the following services are also available: * a "subject locator" - given a DN, find out which Authority manages that namespace: http://www.eugridpma.org/showca.php * Status News - short notices by the PMA that do not warrant issuing a newsletter because of their transient nature. http://www.eugridpma.org/statusnews/ In the near future, this system will be enhanced with a more detailed monitoring page that contains notices posted by the member authorities, such as scheduled web site maintenance. This service will be kindly provided by SiGNET. ========================================================================= Next Release ========================================================================= The next release of the CA RPMs is to be expected around mid-March 2006, (of course barring special circumstances). If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce