eugridpma-announce

eugridpma-announce@nikhef.nl

1 participants
164 discussions

EUGridPMA (IGTF) CA distribution 1.1 Release 2 UPDATE
by David Groep 22 Feb '06

22 Feb '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear CAs, Relying Parties, Users, and all others interested, After the release of distribution 1.1, I have received a number of valuable suggestions to improve the distribution format, in particular for the tar-based installation bundle. Also, the meta-RPM contained a typo that prevented the (discontinued) ca_CNRS-DataGrid to be obsoleted correctly. Therefore, a new release (R2) of this version 1.1 has been made available, containing these changes: ~ Changes from 1.1 R1 to 1.1 R2 ~ ----------------------------- ~ (22 Feb 2006) ~ NOTE: THERE ARE NO CHANGES TO THE CONTENT IN THIS SUB-RELEASE ~ * Corrected typo in the obsoletion of the old ca_CNRS-DataGrid ~ * Improved understandability of the igtf-policy-installation-bundle The igtf-policy-installation-bundle-1.1.tar.gz now contains a README.txt file with more detailed instructions and a clearer internal structure. Comments are of course always welcome. Regards, David Groep. ========================================================================= Next Release ========================================================================= The next release of the CA RPMs is to be expected around mid-March 2006, (of course barring special circumstances). If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD/DbLcnpzXG8phBgRAoK/AJ9GpTAFoE7f3CJXYaZ+Uy/qy1ofHQCeJrJJ SUMUn3QIQC/Hgm76IQYTBUc= =PA5G -----END PGP SIGNATURE-----

1 0

EUGridPMA (IGTF) CA distribution 1.1 and updates
by David Groep 20 Feb '06

20 Feb '06

From: David Groep <info(a)eugridpma.org> Date: Mon, 20 Feb 2005 15:00:00 +0100 Subject: EUGridPMA (IGTF) CA distribution 1.1 and updates Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Release frequency increase 2. New distribution 1.1 available with new authorities 3. Distribution changes and improved deployability 4. Namespace constraints policies 5. Informational services experiments from the EUGridPMA We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. Release frequency increase ========================================================================= On the request of the relying parties expressed in the IGTF and CA-OPS meetings during GGF16 in Athens, Greece, there will be more frequent releases of the IGTF distribution. In this way, changes such as CRL location changes, and newly accredited CAs, will be available to relying parties faster. In the new scheme, the maximum delay for a new distribution will be two (2) weeks after all technical information has been made available. The time to deployment of any such regular update release is left to the descretion of the relying parties. Specific security updates will be released more frequently as necessary, and should preferably be implemented as soon as possible. Such security updates will be clearly marked as such. ========================================================================= 2. New distribution (1.1) with new authorities ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.1, release 1, and it is now available for download from the Repository at https://www.eugridpma.org/distribution/igtf/1.1/ or https://www.eugridpma.org/distribution/igtf/current/ You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. New Authorities: APAC Australian Partnership for Advanced Computing KEK High Energy Accelerator Research Organization (Japan) NAREGI National Research Grid Initiative (Japan) pkIRISGrid IRISGrid PKI (RedIRIS, Spain) Modified: GridCanada added new root certificate SWITCH new Personal and Server CA certificates SWITCH-CA2 new CA hierarchy based off the SwissSign Silver Root Discontinued: Datagrid-FR no longer contains valid end-entity certs CyGrid-old expired and replaces by "CyGrid" This release also contains various updates and corrections to the CRL download locations and the CA contact information. A detailed summary of changes can be found in the distribution. Notice on directory structure ----------------------------- *** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.0-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.1" and release "1". ========================================================================= 3. Distribution changes and improved deployability ========================================================================= We warmly welcome your comments and suggestions to improve deployability of the CA distribution. Based on some suggestions received, some changes have been implemented in this release. The distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. In this release, we add several new components. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.1.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.1.tar.gz igtf-preinstalled-bundle-slcs-1.1.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.1.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 and also "apt" is supported. For details, see http://www.eugridpma.org/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. ========================================================================= 4. Namespace constraints policies ========================================================================= The assertions by the IGTF on the compliance of the authorities only extend within the namespaces as accredited by the PMAs. This ensures that any certificate subject name corresponds to one and only one entity, and allows you to rely on this subject name for subsequent decisions. This uniqueness applies only *within the namespace constraints* set by the PMAs. For this reason, the distribution has, since its conception, contained a set of "signing_policy" files that specify exactly what subject names of each CA are subject to the IGTF assertions. On request of several middleware development projects, this very same set of namespace constraints is now also specified in a new format in a separate ".namespaces" file. There is no difference in content between these two files, but the format and interpreting semantics are different. For information regarding the new ".namespaces" file, please see http://www.eugridpma.org/documentation/ In the future, this format may yet again be extended or replaced by another format, as discussions within the Global Grid Forum continue. Your participation, via the CA-OPS Working Group, is of course welcome. ========================================================================= 5. Informational Services from the EUGridPMA ========================================================================= To better service the community, contact information of the members is made available from the EUGridPMA web site. Look under "membership" and find the web site and a link to the Policy and Practice Statements. Experimentally, the following services are also available: * a "subject locator" - given a DN, find out which Authority manages that namespace: http://www.eugridpma.org/showca.php * Status News - short notices by the PMA that do not warrant issuing a newsletter because of their transient nature. http://www.eugridpma.org/statusnews/ In the near future, this system will be enhanced with a more detailed monitoring page that contains notices posted by the member authorities, such as scheduled web site maintenance. This service will be kindly provided by SiGNET. ========================================================================= Next Release ========================================================================= The next release of the CA RPMs is to be expected around mid-March 2006, (of course barring special circumstances). If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

EUGridPMA (IGTF) CA distribution 1.0
by David Groep 26 Oct '05

26 Oct '05

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. International Grid Trust Federation to introduce new authorities 2. New distribution (1.0) with new layout and authorities Summary of changes Notice on directory structure RPM distribution and meta-packages Info meta-data for authorities Obsoleting of the EUGridPMA meta-package by the IGTF policy RPM GPG signing We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ https://www.eugridpma.org/newsletter/eugridpma-newsletter-20051025.txt ========================================================================= 1. International Grid Trust Federation to introduce new authorities ========================================================================= With the foundation of the International Grid Trust Federation (IGTF) on October 5th, the authentication profile (minimum requirements) guidelines on X.509 CAs with secured infrastructure has been accepted as the basis for accrediting "classic" authorities by all three PMAs: not only the EUGridPMA, but also the APGridPMA (for the Asia Pacific region) and the TAGPMA (covering the Americas). In the AP region, four authorities have been accredited according to this profile, following an in-depth review and an on-site audit. This includes the two authorities (IHEP in Beijing and ASGCC in Taipei) that were already previously accredited by the EUGridPMA. The APGridPMA also brings in two new CAs: KISTI (South Korea) and AIST (Japan). The EUGridPMA will from now on distribute the entire corpus of IGTF accredited CAs, regardless of their accrediting PMA (as announced in the October 6th newsletter. Today, this includes the "classic" profile only, but in the near future also the new profile covering short-lived credential services ("slcs"). If you have previously accepted the assurance level for classic CAs from the EUGridPMA, we suggest you place equal trust in the IGTF "classic" profile. You should make a new trust assessment with respect to the SLCS profile, once this profile has been accepted by its maintaining body, the TAGPMA. This advice is reflected in the upgrade path for the EUGridPMA distribution format, as explained below. For more information regarding the IGTF, please refer to the IGTF or EUGridPMA web site at: http://www.gridpma.org/ ========================================================================= 2. New distribution (1.0) with new layout and formats ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. As several major changes have been introduced in this release, and because of the use of a common distribution format throughout the IGTF, the version number has been bumped to 1.0. Future releases will sequentially increment this number (1.1, 1.2 ... 1.9, 1.10, 1.11, ... 1.1201, etc.) This is version 1.0, release 1, and it is now available for download from the EUGridPMA repository at https://www.eugridpma.org/distribution/igtf/1.0/ or https://www.eugridpma.org/distribution/igtf/current/ You can download the new packages and install them at your convenience. Summary of changes ------------------ Changes from 0.32 to 1.0 ------------------------- (25 October 2005) * IGTF policy meta-packages replace EUGridPMA-only ones. The legacy "ca_policy_eugridpma" RPMs now depend on their IGTF counterparts. The EUGridPMA specific files will be withdrawn in a future release. * New directory structure moves all data regarding accredited authorities to the singe "accredited/" directory (including the policy meta-RPM) * Tar-ball installation now supports multiple profiles and targets * Meta-data (".info") for each CA added, and installed in trusted directory * The "experimental" profile supersedes the "others/"areainthe distribution (note: this affects the FNAL_KCA, which may shortly be added as an accredited authority under a new Short-Lived Credential Services profile) * Discontinued authorities are no longer distributed * APGridPMA accreditations added: KISTI and AIST * New EUGridPMA accreditations: TR-Grid and BalticGrid * CRL URL for SiGNET changed to http instead of https * Added compatibility namespace forNIIF "/C=HU/O=NIIF CA/OU=NIIF/OU=GRID/*" Notice on directory structure ----------------------------- *** *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.0-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you your self review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When an authentication profile (SLCS) suitable for the KCA has been accepted by the TAGPMA, the location of this authority will be reconsidered. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.0" and release "1". RPM distribution and meta-packages ---------------------------------- For those using RPM based Linux distribution, a "meta-RPM" is available from the repository, ca_policy_igtf-classic-1.0-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://www.eugridpma.org/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. See http://www.eugridpma.org/distribution/igtf/current/apt/README.txt for details. Info meta-data for authorities ------------------------------ The RPM packages (and the files installed via the accredited tar bundle) now also include a ".info" file for each installed root certificate. This info file contains important meta-data regarding the CA, in a plain- text "attribute=value" format. At a minimum, this file will contain: alias preferred short name of the CA status accreditation profile name (or "worthless/experimental") email contact address of the CA for incidents sha1fp SHA1 fingerprint of the certificate version version number of the package that contains this CA The file may contains comments (i.e. lines starting with "#"). For an example, unpack the igtf-accredited bundle from the accredited/ directory: igtf-policy-accredited-bundle-1.0.tar.gz and look at, e.g., "igtf-policy-accredited-bundle-1.0/16da7552.info" Obsoleting of the EUGridPMA meta-package by the IGTF policy ----------------------------------------------------------- In previous releases, a similar meta-package for bulk installations, called "ca_policy_eugridpma-classic-<ver>-<rel>" has been provided. Following our recommendation to extend your trust to all IGTF accredited "classic" authorities, you are requested now to install "ca_policy_igtf-classic-1.0-1" and un-install the obsolete eugridpma-only meta-package. There will no longer be a meta-package with only EUGridPMA accredited CAs. For compatibility purposes, the ca_policy_eugridpma-classic package is still provided with release 1.0, but has a single dependency on the entire ca_policy_igtf-classic bundle. If you do automatic updating using this meta-package, you will *automatically* add all IGTF accredited "classic" authorities to your list of trusted authorities. For release 1.0, this means that KISTI and AIST will be added. We are sure this matches the expectations of our relying parties, and it implements the EUGridPMA and IGTF recommendations on compatible assurance levels between the PMAs. For policy-related issues, please refer to the IGTF Federation Document for details. Similar considerations hold for the tar-based installation using the "configure && make && make install" mechanism. This accredited bundle (which supports all authentication profiles using the "--with-profile=" mechanism) also contains all IGTF accredited CAs. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where-ever possible. ========================================================================= Next Release ========================================================================= The next release of the CA RPMs is to be expected around November 2005, (of course barring special circumstances). If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs). -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Foundation of the International Grid Trust Federation
by David Groep 06 Oct '05

06 Oct '05

Dear CAs, Relying Parties, Users, and all others interested, Today, at the 15th Global Grid Forum in Boston, the International Grid Trust Federation was officially established. With this, the process started almost five years ago has reached a new milestone: http://www.gridpma.org/docs/igtf-newsrelease-20051005.pdf The IGTF is a federation of certification authorities or grid policy management authorities (grid PMAs), and the major grid infrastructure projects that together define the policies and standards for grid identity management. Comprising the three regional grid policy management bodies, the EUGridPMA, the Asia Pacific Grid PMA (APGridPMA), and The Americas GridPMA (TAGPMA), the federation today has 61 members and covers 50 countries and regions. The new federation builds on the foundations laid by the EUGridPMA. The same minimum requirements on classic CAs that have been the basis of the EUGridPMA have been adopted by all IGTF members, so that relying parties can have the same level of trust in the CAs that are accredited by the APGridPMA and the TAGPMA. The new distribution of trust anchors will reflect this equivalence, by distributing new common metapackages "ca_policy_igtf" that replaces the current EUGridPMA-only bundles. The IGTF meta-packages will contain all CAs accredited under a given profile, regardless of their regional affiliation. The APGridPMA and TAGPMA, at the same time enriched the federation with new profiles that enable more high-quality identity providers to issue certificates. They will be issuing credentials to users in their own organisation, leveraging strong local methods of authentication, like Kerberos. These "short-lived credential generation services" usually issue (proxy) certificates valid for hours or a few days, thus eliminating the need for long-term key management by the end-user. It is expected that by November this year the PMAs will be able to distribute a bundle of CAs accredited under this new "SLCGS" Authentication Profile. For the activities of the IGTF, pointers to all authentication profiles, and the IGTF Charter, please go to the web site at: http://www.gridpma.org/ or look at any of the regional PMA pages for the IGTF information. A new distribution (0.33) is due by the end of October 2005. We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/

1 0

EUGridPMA CA distribution 0.32
by David Groep 23 Aug '05

23 Aug '05

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New distribution (0.32) with repairs and updated root cert We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution version 0.32 ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, release version 0.32, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ Note that this updates the previous release that was issued three days ago. There are two reasons for this update: * The Russian Data Intensive Grid (RDIG) CA has released a new root certificate with a keylength of 2048 bits. The previous key (4096 bits in length) caused problems in various software suites, in particular some Java implementations. NOTE that the has remains unchanged, and the previous web locations will be re-used. In the transition period, you may encounter inconsistencies between the new CA cert and the (still old) CRL downloaded from the crl_url. This inconsistency has no other security impacts than to render the CA inactive, i.e., this is a safe default. * The signing policy file for the new CESNET CA was incomplete and left out the namespace that was actually in use. The correct namespace is /DC=cz/DC=cesnet-ca/*. Notice: *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_eugridpma-0.32-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/", "other/", or "discontinued/" directories, except if you your self review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. You can download the new packages and install them at your convenience. Changes from 0.31 to 0.32 ------------------------- (23 August 2005) * Corrected namespace for the new CESNET CA * New RDIG root certificate with a 2048 bit key length for increased compatibility with existing software suites. For those using RPM based linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.32-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. This is the first RPM distribution that will (on an experimental basis) used GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. The next release of the CA RPMs is to be expected around October 2005, (of course barring special circumstances). The format of those new releases is currently under considation. If you want to contribute to the discussion or to suggest improvements to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

EUGridPMA Corrected CA distribution 0.31
by David Groep 15 Jul '05

15 Jul '05

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. New distribution (0.31) with repairs and clarifications We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution version 0.31 ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, release version 0.31, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ Note that this updates the previous release that was issued three days ago. There are two reasons for this update: * The Russian Data Intensive Grid (RDIG) CA was accidentally left out of the accredited list. Thus, if you install the old release, you will not get the RDIG CA, contrary to the release notes. * There was confusion about which CAs were actually accredited, and are thus "safe" to install in a production system *ONLY* CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_eugridpma-0.31-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/", "other/", or "discontinued/" directories, except if you your self review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. You can download the new packages and install them at your convenience. Changes from 0.30 to 0.31 ------------------------- (15 July 2005) * Corrected packaging problem which left RDIG out of accredited CA group * renamed the "unknown/" directory to "discontinued/" * Added explanatory text to the distribution regarding the "other/", "worthless/" and "discontinued/" directories For those using RPM based linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.31-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. This is the first RPM distribution that will (on an experimental basis) used GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. The next release of the CA RPMs is to be expected around August 2005, (of course barring special circumstances). The format of those new releases is currently under considation. If you want to contribute to the discussion or to suggest improvements to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs).

1 0

EUGridPMA News and the new Accredited CA distribution 0.30
by David Groep 12 Jul '05

12 Jul '05

Dear CAs, Relying Parties, Users, and all others interested, This is the EUGridPMA "announcements" news letter to keep relying parties and other interested parties informed of important news regarding your trusted certification authorities. In this announcement of the EUGridPMA: 1. New distribution (0.30) to include new CAs and important changes 2. International Grid Trust Federation (IGTF) to extend trust fabric to a global level about to be established 3. Overview of changes for member authorities We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution version 0.30 ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, release version 0.30, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ You can download the new packages and install them at your convenience. Changes from 0.29 to 0.30 ------------------------- (12 July 2005) * Added IHEP CA for China * Added DFN GridGermany CA (Root, User and Server CAs) * Added RDIG CA (will replace the Russian DataGrid CA) * New name space allocation for the IUCC CA: "/C=IL/O=IUCC/*" * Added updated CESNET Root cert and renamed the old one to "CESNET-old" for legacy compatibility. The new CESNET CA started operating June 17th * RPMs are now signed (experimentally) with PGP keyID 3CDBBC71. This key, the "EUGridPMA Distribution Signing Key 3" can be obtained from the popular PGP key servers, where it has been signed by the current Chair, David Groep. It can also be downloaded from the web distribution site: GPG-KEY-EUGridPMA-RPM-3 For those using RPM based Linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.30-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. This is the first RPM distribution that will (on an experimental basis) used GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. The next release of the CA RPMs is to be expected around August 2005, (of course barring special circumstances). The format of those new releases is currently under consideration. If you want to contribute to the discussion or to suggest improvements to have it better suit your needs, please contact the PMA at <info(a)eugridpma.org>. There will be a common distribution format across the entire IGTF (i.e. all three PMAs). ========================================================================= 2. The International Grid Trust Federation Developments ========================================================================= Over the last year significant progress has been made in building consensus on common trust mechanisms both in Europe, the Asia-Pacific Region and in the America's. As early as 2002, during GGF7, the "Tokyo Accord" set the direction to move towards a common, global, trust fabric that will enable relying parties to easily evaluate certification authorities by using common guidelines. There are now three "regional" PMAs. Apart from the EUGridPMA, there is one in the Asia-Pacific region (www.apgridpma.org) and at GGF14 the Americas Grid PMA (www.tagpma.org) was formally established. All three PMAs have agreed to use a common set of "authentication profiles" to which authorities will be accredited. This also means that all accredited CAs, regardless of their location in the world and regardless of the accrediting PMA, meet or exceed the same set of minimum requirements. You, as relying parties, will then be able to more effectively assess CAs worldwide, and incorporate these efficiently in your trust infrastructure. The current EUGridPMA Minimum Requirements will constitute the first authentication profile, that of "Classic X.509 CAs with secured infrastructure" (shortname "classic"). The foundation of the IGTF is foreseen for the very near future. The EUGridPMA will keep you informed about further developments in this area. For more information, please see the IGTF web site: http://www.gridpma.org/ ========================================================================= 3. Overview of changes for member authorities ========================================================================= The following CP/CPS changes were approved by the EUGridPMA. The modification of the policy documents by the authorities below comply with the minimum requirements and have been reviewed by the PMA. They are listed below for informational purposes to our relying parties: * New authorities accredited under the "classic" profile include the DFN (Deutsche Forschung Netz) Grid-PKI, the IHEP (China) CA, and the Russian Data Intensive Grid CA (which will replace the Russian DataGrid CA). * UK e-Science CA A new CP/CPS took effect on May 15th. It does not affect procedures except to tighten them. The current practice is described in more detail. See http://www.grid-support.ac.uk/ca/ for the new version * Grid-FR The emailAddress name component has been removed from all certificate subject names. * GermanGrid CA (GridKA-CA) New policy version 1.2 clarifies wording, especially in sections 3.1.9 Authentication of Individual Identity. * CESNET The CESNET CA is switching both the software and the hardware (HSM based) which means that the procedures are going to change rather fundamentally (that's why the major version number was changed). More information on the CESNET CA web site http://www.cesnet.cz/pki/ =========================================================================

1 0

EUGridPMA new accredited CA distribution (version 0.28)
by David Groep 30 Apr '05

30 Apr '05

Dear CAs, Relying Parties, Users, and all others interested, Release 0.29 of the CA distribution available --------------------------------------------- A new distribution of Accredited Authorities by the EUGridPMA, release version 0.29, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ You can download the new packages and install them at your convenience. Changes from 0.28 to 0.29 ------------------------- (27 April 2005) * New root certificate for the NIIF/Hungarnet CA, following the TACAR update * Preliminary inclusion of the SWITCH CA certificates. Note that the ordering of the components in the end-entity DN will currently prevent the end-entity certs to be validated (this is being addressed by SwissSign) * Modified layout of the tar distribution, in preparation for support of multiple authentication profiles Note also that from this release on the (expired) DOESG root CA has been withdrawn from the "accredited/" directory. For those using RPM based linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.29-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. The next release (0.30) of the CA RPMs is to be expected around July 2005, (of course barring special circumstances). Regards, David Groep Chair. PS: Please circulate this announcement widely as appropriate.

1 0

EUGridPMA new accredited CA distribution (version 0.28)
by David Groep 06 Apr '05

06 Apr '05

Dear CAs, Relying Parties, Users, and all others interested, Release 0.28 of the CA distribution available --------------------------------------------- A new distribution of Accredited Authorities by the EUGridPMA, release version 0.28, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ You can download the new packages and install them at your convenience. Changes from 0.27 to 0.28 ------------------------- (6 April 2005) * Added the root certs for the newly accredited CAs "AustrianGrid" and "NIIF/Hungarnet" * updated signing policy file of SiGNET CA to handle new emailAddress DN component name * added "BalticGrid CA" in the "worthless" section, for experimentation by AndersW * UKeScience CA changed to SHA1 digest for the root certificate * new CRL and CA URLs for both CyGrid CAs In this release, a configuring/installer tar-ball has been added as an alternative for the RPM installation. The tar-ball contains the accredited CAs and can be installed via the conventional triplet: ./configure [--prefix=path] && make && make install For those using RPM based linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.28-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. The next release (0.29) of the CA RPMs is expected in May 2005. Regards, David Groep Chair. PS: Please circulate this announcement widely as appropriate. -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New Release of CA RPMs and other news
by David Groep 23 Feb '05

23 Feb '05

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: -1- New CA distribution v0.27 available -2- Update of the Minimum Requirements for Accreditation (v3.2) Release 0.27 of the CA distribution available --------------------------------------------- A new distribution of Accredited Authorities by the EUGridPMA, release version 0.27, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ Please download the new packages and install them at your earliest convenience, since the new package includes upgrades to some of the existing CAs as well (CNRS Grid-FR and CyGrid) and it fixes a problem with the use of the UK e-Science CA with recent versions of the OpenSSL package. Changes from 0.26 to 0.27 (22 February 2005): * added additional entry to UKeScience signing policy file to accomodate openssl 0.9.7c rendering of emailAddress component in the subject DN * updated DutchGrid CA cert from web site: extended lifetime to 2021 and changed digest algorithm from MD5 to SHA1 * added a tar-ball distribution with a configure scrfipt for convenience * Removed DOESG-Root from the accredited CA list, as per request of of the CA on January 28, 2005. There are no certs left issued by this CA. * Added Grid-FR CA by CNRS, and extended the signing_policy file of the associated CNRS-Projets CA. * A new root certificate for the CyGrid CA (with a new subject name). The old CyGrid CA has been moved to "-old". Both are in the accredited list. The next release (0.28) of the CA RPMs is expected for the end of March 2005. Update of the Minimum Requirements for Accreditation ---------------------------------------------------- The Minimum Requirements guidelines document has been clarified and elaborated in several places, bringing it better in line again with the common minimum requirements that are coordinated globally via the International Grid Federation (IGF) and to make them less ambiguous. This does not alter the meaning of the requirements in any way. Thew new version of the document (v3.2) is also available from the web site at http://www.eugridpma.org/guidelines/ The changes are: * better synchronisation with the APGridPMA guidelines (and our own version 2.1) regarding recovation of certificates. * clarification of wording regarding the uniqueness of subject names * a list of CA and RA personnel must now be explicitly maintained * worded more carefully what the PMA expects regarding scope of new CAs, and the expected level of commitment and sustainability of member CAs * the description of the profile of end-entity certificates, that was in section 4, has been made explicit in a new subsection 4.1. New requirements in this area include a compulsory inclusion of the CRLDistributionPoints extension, and also AuthorityInfoAccess in case the CA operated a production-level OCSP responder. * the use of MD5 has been depricated Regards, David Groep. PS: to leave this mailing list, please visit the EUGridPMA link below and look at the Subscriber options at the bottom of the page: http://mailman.eugridpma.org/cgi-bin/listinfo/eugridpma-announce

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce