eugridpma-announce

eugridpma-announce@nikhef.nl

158 discussions

EUGridPMA News and the new Accredited CA distribution 0.30
by David Groep 12 Jul '05

12 Jul '05

Dear CAs, Relying Parties, Users, and all others interested, This is the EUGridPMA "announcements" news letter to keep relying parties and other interested parties informed of important news regarding your trusted certification authorities. In this announcement of the EUGridPMA: 1. New distribution (0.30) to include new CAs and important changes 2. International Grid Trust Federation (IGTF) to extend trust fabric to a global level about to be established 3. Overview of changes for member authorities We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution version 0.30 ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, release version 0.30, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ You can download the new packages and install them at your convenience. Changes from 0.29 to 0.30 ------------------------- (12 July 2005) * Added IHEP CA for China * Added DFN GridGermany CA (Root, User and Server CAs) * Added RDIG CA (will replace the Russian DataGrid CA) * New name space allocation for the IUCC CA: "/C=IL/O=IUCC/*" * Added updated CESNET Root cert and renamed the old one to "CESNET-old" for legacy compatibility. The new CESNET CA started operating June 17th * RPMs are now signed (experimentally) with PGP keyID 3CDBBC71. This key, the "EUGridPMA Distribution Signing Key 3" can be obtained from the popular PGP key servers, where it has been signed by the current Chair, David Groep. It can also be downloaded from the web distribution site: GPG-KEY-EUGridPMA-RPM-3 For those using RPM based Linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.30-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. This is the first RPM distribution that will (on an experimental basis) used GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. The next release of the CA RPMs is to be expected around August 2005, (of course barring special circumstances). The format of those new releases is currently under consideration. If you want to contribute to the discussion or to suggest improvements to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs). ========================================================================= 2. The International Grid Trust Federation Developments ========================================================================= Over the last year significant progress has been made in building consensus on common trust mechanisms both in Europe, the Asia-Pacific Region and in the America's. As early as 2002, during GGF7, the "Tokyo Accord" set the direction to move towards a common, global, trust fabric that will enable relying parties to easily evaluate certification authorities by using common guidelines. There are now three "regional" PMAs. Apart from the EUGridPMA, there is one in the Asia-Pacific region (www.apgridpma.org) and at GGF14 the Americas Grid PMA (www.tagpma.org) was formally established. All three PMAs have agreed to use a common set of "authentication profiles" to which authorities will be accredited. This also means that all accredited CAs, regardless of their location in the world and regardless of the accrediting PMA, meet or exceed the same set of minimum requirements. You, as relying parties, will then be able to more effectively assess CAs worldwide, and incorporate these efficiently in your trust infrastructure. The current EUGridPMA Minimum Requirements will constitute the first authentication profile, that of "Classic X.509 CAs with secured infrastructure" (shortname "classic"). The foundation of the IGTF is foreseen for the very near future. The EUGridPMA will keep you informed about further developments in this area. For more information, please see the IGTF web site: http://www.gridpma.org/ ========================================================================= 3. Overview of changes for member authorities ========================================================================= The following CP/CPS changes were approved by the EUGridPMA. The modification of the policy documents by the authorities below comply with the minimum requirements and have been reviewed by the PMA. They are listed below for informational purposes to our relying parties: * New authorities accredited under the "classic" profile include the DFN (Deutsche Forschung Netz) Grid-PKI, the IHEP (China) CA, and the Russian Data Intensive Grid CA (which will replace the Russian DataGrid CA). * UK e-Science CA A new CP/CPS took effect on May 15th. It does not affect procedures except to tighten them. The current practice is described in more detail. See http://www.grid-support.ac.uk/ca/ for the new version * Grid-FR The emailAddress name component has been removed from all certificate subject names. * GermanGrid CA (GridKA-CA) New policy version 1.2 clarifies wording, especially in sections 3.1.9 Authentication of Individual Identity. * CESNET The CESNET CA is switching both the software and the hardware (HSM based) which means that the procedures are going to change rather fundamentally (that's why the major version number was changed). More information on the CESNET CA web site http://www.cesnet.cz/pki/ =========================================================================

1 0

EUGridPMA new accredited CA distribution (version 0.28)
by David Groep 30 Apr '05

30 Apr '05

Dear CAs, Relying Parties, Users, and all others interested, Release 0.29 of the CA distribution available --------------------------------------------- A new distribution of Accredited Authorities by the EUGridPMA, release version 0.29, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ You can download the new packages and install them at your convenience. Changes from 0.28 to 0.29 ------------------------- (27 April 2005) * New root certificate for the NIIF/Hungarnet CA, following the TACAR update * Preliminary inclusion of the SWITCH CA certificates. Note that the ordering of the components in the end-entity DN will currently prevent the end-entity certs to be validated (this is being addressed by SwissSign) * Modified layout of the tar distribution, in preparation for support of multiple authentication profiles Note also that from this release on the (expired) DOESG root CA has been withdrawn from the "accredited/" directory. For those using RPM based linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.29-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. The next release (0.30) of the CA RPMs is to be expected around July 2005, (of course barring special circumstances). Regards, David Groep Chair. PS: Please circulate this announcement widely as appropriate.

1 0

EUGridPMA new accredited CA distribution (version 0.28)
by David Groep 06 Apr '05

06 Apr '05

Dear CAs, Relying Parties, Users, and all others interested, Release 0.28 of the CA distribution available --------------------------------------------- A new distribution of Accredited Authorities by the EUGridPMA, release version 0.28, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ You can download the new packages and install them at your convenience. Changes from 0.27 to 0.28 ------------------------- (6 April 2005) * Added the root certs for the newly accredited CAs "AustrianGrid" and "NIIF/Hungarnet" * updated signing policy file of SiGNET CA to handle new emailAddress DN component name * added "BalticGrid CA" in the "worthless" section, for experimentation by AndersW * UKeScience CA changed to SHA1 digest for the root certificate * new CRL and CA URLs for both CyGrid CAs In this release, a configuring/installer tar-ball has been added as an alternative for the RPM installation. The tar-ball contains the accredited CAs and can be installed via the conventional triplet: ./configure [--prefix=path] && make && make install For those using RPM based linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.28-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. The next release (0.29) of the CA RPMs is expected in May 2005. Regards, David Groep Chair. PS: Please circulate this announcement widely as appropriate. -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New Release of CA RPMs and other news
by David Groep 23 Feb '05

23 Feb '05

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: -1- New CA distribution v0.27 available -2- Update of the Minimum Requirements for Accreditation (v3.2) Release 0.27 of the CA distribution available --------------------------------------------- A new distribution of Accredited Authorities by the EUGridPMA, release version 0.27, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ Please download the new packages and install them at your earliest convenience, since the new package includes upgrades to some of the existing CAs as well (CNRS Grid-FR and CyGrid) and it fixes a problem with the use of the UK e-Science CA with recent versions of the OpenSSL package. Changes from 0.26 to 0.27 (22 February 2005): * added additional entry to UKeScience signing policy file to accomodate openssl 0.9.7c rendering of emailAddress component in the subject DN * updated DutchGrid CA cert from web site: extended lifetime to 2021 and changed digest algorithm from MD5 to SHA1 * added a tar-ball distribution with a configure scrfipt for convenience * Removed DOESG-Root from the accredited CA list, as per request of of the CA on January 28, 2005. There are no certs left issued by this CA. * Added Grid-FR CA by CNRS, and extended the signing_policy file of the associated CNRS-Projets CA. * A new root certificate for the CyGrid CA (with a new subject name). The old CyGrid CA has been moved to "-old". Both are in the accredited list. The next release (0.28) of the CA RPMs is expected for the end of March 2005. Update of the Minimum Requirements for Accreditation ---------------------------------------------------- The Minimum Requirements guidelines document has been clarified and elaborated in several places, bringing it better in line again with the common minimum requirements that are coordinated globally via the International Grid Federation (IGF) and to make them less ambiguous. This does not alter the meaning of the requirements in any way. Thew new version of the document (v3.2) is also available from the web site at http://www.eugridpma.org/guidelines/ The changes are: * better synchronisation with the APGridPMA guidelines (and our own version 2.1) regarding recovation of certificates. * clarification of wording regarding the uniqueness of subject names * a list of CA and RA personnel must now be explicitly maintained * worded more carefully what the PMA expects regarding scope of new CAs, and the expected level of commitment and sustainability of member CAs * the description of the profile of end-entity certificates, that was in section 4, has been made explicit in a new subsection 4.1. New requirements in this area include a compulsory inclusion of the CRLDistributionPoints extension, and also AuthorityInfoAccess in case the CA operated a production-level OCSP responder. * the use of MD5 has been depricated Regards, David Groep. PS: to leave this mailing list, please visit the EUGridPMA link below and look at the Subscriber options at the bottom of the page: http://mailman.eugridpma.org/cgi-bin/listinfo/eugridpma-announce

1 0

New EUGridPMA release 0.26
by David Groep 24 Dec '04

24 Dec '04

Dear members, relying parties, and other users, A new release of the "accredited CA distribution" - version 0.26 - from the European Grid Authentication PMA in eScience is now available for download from the usual location: http://www.eugridpma.org/distribution/current/ This release removed the "Spain-old" CA that expired in November 2004, but that was causing unnecessary warnings in some software distributions. It also includes the new RMKI CA, extending coverage for authentication to Hungary. The information is provided in RPM and .tar.gz format, the set of accredited CAs being located in the "accredited/" subdirectory. An RPM containing only dependencies on the accredited CAs is provided as "ca_policy_eugridpma-0.26-1.noarch.rpm". For users of RPM the repository is "yum" enabled. Large projects serving this software to their sites and end-users are requested to mirror the distribution. Regards, David Groep. (chair) -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

eugridpma: update to the Spanish Grid CA
by David Groep 22 Oct '04

22 Oct '04

Dear Relying parties, CAs, and Others, Although the previous release of the distribution of the EUGridPMA Accredited Authorities was quite recent, we are forced to issue a new release that includes a new root certificate for the Spanish DataGrid CA (DataGrid-ES, whose alias is "Spain"). The new distribution (version 0.25) is now available from the EUGridPMA repository, including new sources and meta-RPMs. You can update at your convenience, but if you are relying on certificates issued by DataGrid-ES you should upgrade before November 12. See: http://www.eugridpma.org/distribution/current/ Also I would like to remind you that relying parties and any others interested can subscribe ot the announce(a)eugridpma.org mailing list (low traffic) via the web site at http://www.eugridpma.org/ Regards, David Groep. -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

eugridpma - new CAs accredited and a new announcements service
by David Groep 20 Oct '04

20 Oct '04

Dear CAs, Relying Parties, and others, New CAs approved ---------------- On October 20th, the EUGridPMA released a new version of the Accredited Authorities distribution: version 0.24. This distribution is now available on the web site at http://www.eugridpma.org/distribution/0.24/ All relying parties that accept the Minimum Requirements (now at version 3.1) as sufficient, can update to the new Roots of Trust at their convenience. A change log is included in this mail at the bottom. Note that the updated LIP CA will start issuing certs from the new root CA quite soon. Announcements mailing list -------------------------- To improve communications from the EUGridPMA Member Authorities to relying parties, an announcement mailing list has been set up. This low-traffic list will carry messages like: - new releases of the distribution, - changes in the CP/CPS of accredited Authorities, - aggregated information regarding grave events and incidents. Everyone is invited to subscribe to the "announce(a)eugridpma.org" mailing list by: * Sending a mail to <announce-request(a)eugridpma.org> with a single line "subscribe" in the body of the message * Or go to the web interface at: http://mailman.eugridpma.org/cgi-bin/listinfo/eugridpma-announce The list is archived and old messages can be reviewed at: http://mailman.eugridpma.org/pipermail/eugridpma-announce/ Changelog for 0.23->0.24 ------------------------ * Added the Slovenian SiGNET CA with hash 747183a and alias: SiGNET * Added the SEE-GRID CA with hash 468d15b3 and alias: SEE-GRID * Added the Estonian Grid CA, with hash 566bf40f and alias: EstonianGrid * Added the updated LIP CA (called "LIPCA") with hash 11b4a5a2, which will supercede the old one with hash 41380387. The "LIP" one will remain in the repository will the end of 2005. * Added RPM requirements that reflects CA chaining: CNRS-Projects requires CNRS CNRS-DataGrid requires CNRS-Projects DOEGrids requires ESnet -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Announcing the EUGridPMA Announce Mailing list
by David Groep 07 Oct '04

07 Oct '04

To all interested parties: This list "announce(a)eugidpma.org" carries announcements made by the EUGridPMA to the members, relying parties and others interested. Such accouncements include amongst others new releases of the distribution, changes in the CP/CPS of accredited Authorities. The web archive is to be found at http://mailman.eugridpma.org/pipermail/eugridpma-announce/ and you can subscribe by seding an email to <announce-request(a)eugridpma.org> with a single line in the body: "subscribe". Please see the EUGridPMA web site for additional details: http://www.eugridpma.org/ -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce