eugridpma-announce

eugridpma-announce@nikhef.nl

158 discussions

Updated IGTF distribution 1.68
by David Groep 05 Oct '15

05 Oct '15

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.68 available ============================================================================ 1. Updated IGTF distribution version 1.68 available ============================================================================ A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.68 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.67 to 1.68 ------------------------- (5 October 2015) * Discontinued CALG CA (LV) * Added experimental KENET CAs (KE) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of October 2015. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (e.g. a national or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may want to await their announcement before installing the release. They could include localised adaptations. For reference we include the links below: PRACE-RI http://winnetou.surfsara.nl/prace/certs/ EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release wLCG https://lcg-ca.web.cern.ch Open Science Grid https://software.grid.iu.edu/cadist/ Supplementary download locations -------------------------------- The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ Where possible validate trust anchors with the GEANT TACAR Repository https://www.tacar.org/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.67 with specific trust update
by David Groep 31 Aug '15

31 Aug '15

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.67 available *** The IGTF recommends to update to this new release *** as soon as reasonably possible ============================================================================ 1. Updated IGTF distribution version 1.67 available ============================================================================ A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. To forestall a (very small) risk to the integrity of the trust fabric, we recommend that you install this 1.67 release as soon as reasonably possible. This is version 1.67 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.65 to 1.67 ------------------------- (31 August 2015 - release jump, skipping 1.66) * Discontinued NCSA-mics CA (US) * Withdrawn G2 root for IPM CA (IR) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of September 2015. ============================================================================ 2. New meta-data info file data in 1.65 release ============================================================================ Each trust anchor in the IGTF distribution comes with an associated file with relevant meta-data: the URL of the revocation list, the emergency contact email address, the fingerprint to verify integrity, the short alias name (file name) and some more data. The name of the trust anchor (for PKIX anchor: the subject distinguished name) has been added to this meta-data in the "subject" attribute. For the policy meta-packages (with the "policy-igtf-{classic,mics,slcs,iota}.info" files), the "subject" attribute is a list of comma-separated subject names of all trust anchors that are accredited under the named authentication profile (AP). All subject names are double-quoted strings. The syntax of the .info meta- data files is described in <http://wiki.eugridpma.org/Main/IGTFInfoFile>. We envison that these subject names will be used for implementing SSL moni- toring use cases, and to support access control and authorization decisions based on the IGTF accreditation status in combination with other relevant external attributes. There is also a 'discontinued' meta-file that lists all trust anchors that have been withdrawn and must no longer be used. Also to this package a list of subject names has been added (only for those subject names that have not been re-used in an updated trust anchor version). This list can be used for verification purposes to inspect whether any discontinued trust anchors are inadvertently still active in a particular installation. ============================================================================ 3. End of support for RPM yum version 2 and RPM-APT ============================================================================ The data for Yum v2 ("headers") and apt-rpm ("apt/RPMS.profile"), although still present in the 1.65 distribution, are no longer supported. They will be removed in an upcoming release. The 1.65 distribution has been built on a new (RHEL6-compatible) platform that does not natively support the apt-rpm model any more. ============================================================================ 4. IGTF uses new build platform ============================================================================ The more observent of the IGTF relying parties may notice that the RPM packaging indicates a new build host (Build Host: el6vbx.localdomain) and was created using a higher version of the RPM build system.This new build host is expected: the distribution is now built in a (virtualised) RHEL6- compatible environment that is hosted on a new (similarly secured)system. The source continues to come from the IGTF Common Source version control system and the data are verified against this common source. The change (from "streng.nikhef.nl" to "el6vbx.localdomain") is expected. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (e.g. a national or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may want to await their announcement before installing the release. They could include localised adaptations. For reference we include the links below: PRACE-RI http://winnetou.surfsara.nl/prace/certs/ EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release wLCG https://lcg-ca.web.cern.ch Open Science Grid https://software.grid.iu.edu/cadist/ Supplementary download locations -------------------------------- The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ Where possible validate trust anchors with the GEANT TACAR Repository https://www.tacar.org/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.65 with additional meta-data (includes additional notices)
by David Groep 29 Jun '15

29 Jun '15

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.65 available 2. New meta-data info file data in 1.65 release 3. End of support for RPM yum version 2 and RPM-APT 4. IGTF uses new build platform ============================================================================ 1. Updated IGTF distribution version 1.65 available ============================================================================ A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.65 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.64 to 1.65 ------------------------- (29 June 2015) * Discontinued NAREGI CA (JP) * Added addition G2 root for IPM CA (IR) * Added new subjectdn attribute to the trust anchor and profile meta-data files to aid monitoring and authentication-profile based access control mechanism use cases. See http://wiki.eugridpma.org/Main/IGTFInfoFile (ALL) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of September 2015. ============================================================================ 2. New meta-data info file data in 1.65 release ============================================================================ Each trust anchor in the IGTF distribution comes with an associated file with relevant meta-data: the URL of the revocation list, the emergency contact email address, the fingerprint to verify integrity, the short alias name (file name) and some more data. The name of the trust anchor (for PKIX anchor: the subject distinguished name) has been added to this meta-data in the "subject" attribute. For the policy meta-packages (with the "policy-igtf-{classic,mics,slcs,iota}.info" files), the "subject" attribute is a list of comma-separated subject names of all trust anchors that are accredited under the named authentication profile (AP). All subject names are double-quoted strings. The syntax of the .info meta- data files is described in <http://wiki.eugridpma.org/Main/IGTFInfoFile>. We envision that these subject names will be used for implementing SSL moni- toring use cases, and to support access control and authorization decisions based on the IGTF accreditation status in combination with other relevant external attributes. There is also a 'discontinued' meta-file that lists all trust anchors that have been withdrawn and must no longer be used. Also to this package a list of subject names has been added (only for those subject names that have not been re-used in an updated trust anchor version). This list can be used for verification purposes to inspect whether any discontinued trust anchors are inadvertently still active in a particular installation. ============================================================================ 3. End of support for RPM yum version 2 and RPM-APT ============================================================================ The data for Yum v2 ("headers") and apt-rpm ("apt/RPMS.profile"), although still present in the 1.65 distribution, are no longer supported. They will be removed in an upcoming release. The 1.65 distribution has been built on a new (RHEL6-compatible) platform that does not natively support the apt-rpm model any more. ============================================================================ 4. IGTF uses new build platform ============================================================================ The more observant of the IGTF relying parties may notice that the RPM packaging indicates a new build host (Build Host: el6vbx.localdomain) and was created using a higher version of the RPM build system.This new build host is expected: the distribution is now built in a (virtualised) RHEL6- compatible environment that is hosted on a new (similarly secured)system. The source continues to come from the IGTF Common Source version control system and the data are verified against this common source. The change (from "streng.nikhef.nl" to "el6vbx.localdomain") is expected. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (e.g. a national or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may want to await their announcement before installing the release. They could include localised adaptations. For reference we include the links below: PRACE-RI http://winnetou.surfsara.nl/prace/certs/ EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release wLCG https://lcg-ca.web.cern.ch Open Science Grid https://software.grid.iu.edu/cadist/ Supplementary download locations -------------------------------- The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ Where possible validate trust anchors with the GEANT TACAR Repository https://www.tacar.org/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.64 + EoL information on Yum2 and RPM-APT
by David Groep 01 Jun '15

01 Jun '15

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.64 available 2. [repeated] Notice on use of (issuer-subject) combination for users 3. End of support for RPM yum version 2 (headers) distributions 4. End of support for APT-RPM distribution support ========================================================================= 1. Updated IGTF distribution version 1.64 available ========================================================================= A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.64 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.63 to 1.64 ------------------------- (1 June 2015) * Extended validity period of the BalticGrid CA (EE,LT,LV) * Removed obsolete NICS-MyProxy CA (US) * Added revised DigiCertGridCA-1G2-Classic-2015 Classic CA (US) * Updated CRL URL information for TCS G3 by preferring secondary URI (EU) * Updated RDIG CA with extended validity self-signed root (RU) * Removed obsolete NCSA-slcs CA, replaced by NCSA-slcs-2013 (US) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of June 2015. ========================================================================= 2. Notice for system operators using the (issuer-subject) combination for identifying users ========================================================================= The IGTF coordinates a trust fabric that provides unique non-reassigned identifiers to end-entities (users). This means that, with the scope of the IGTF authorities, you can use the subject name as a key to e.g. community membership databases, and to assign data ownership and access rights. Several updates to this trust anchor distribution incorporate changes to the name of the issuing authority, but the name of the end-entities and the users remains exactly the same. This usually permits users to use those new issuing services without loosing (data) ownership or community memberships. However, the IGTF is aware that some systems, in particularly VOMS and VOMS-Admin, were traditionally deployed such that also the issuer was used to identify the users. To make the changes in this and future releases transparent, all operators of VOMS and VOMS-Admin services are requested to enable the subject-only name resolution mechanisms in VOMS and VOMS Admin: - on the VOMS core Attribute Authority service, configure the "-skipcacheck" flag on start-up. In YAIM this is done by setting "VOMS_SKIP_CA_CHECK" to true. See https://wiki.italiangrid.it/twiki/bin/view/VOMS/VOMSYAIMGuide - update VOMS-Admin to version >= 3.3.2, and set "voms.skip_ca_check=True" in the service properties. For more info, read the release notes at http://italiangrid.github.io/voms/release-notes/voms-admin-server/3.3.2/ For other products, please refer to the documentation provided by your supplier. Products such as Apache httpd itself and most web-based products (MediaWiki, TWiki, etc) use subject-name matching only and are thius fully compatible. No changes are needed for these and like products. ========================================================================= 3. End of support for RPM yum version 2 ("headers") distributions in 2015 ========================================================================= The IGTF distributes repositories of trust anchors packaged in the RPM Package Manager format as usd by many GNU/Linux distributions. These repositories come pre-populated with package meta-data used by the Yellowdog Updater, Modified (yum) in two formats: headers (used by yum versions 1 and 2, and XML repodata (yum version 3+). The main platform(s) supported by rpm and yum are Fedora Core, RHEL, and CentOS. The versions of these distributions that depend on yum version 2 and the 'headers' meta-data are now no longer supported, and in the long term the IGTF will no longer be able to generate yum-2 'header' meta-data for these repositories. This affects Fedora Core 1, 2, and 3, CentOS 3.x, and RedHat Enterprise Linux 3 when used with yum. The last one (RHEL3) has reached end of extended life phase in January 2014. Starting in mid-2015, IGTF repositories may no longer contain the 'headers/' directory with meta-data and thus will no longer support yum version 2. Relying parties depending on the use of yum version 2 must thereafter (re)generate the relevant repository meta-data. This change *does not* impact CentOS, nor RHEL4 (end of extended life foreseen for March 31, 2017), nor FC4, nor later versions of the listed operating system distributions. ========================================================================= 4. End of support for APT-RPM distribution support ========================================================================= Support for installing the Redhat Package Manager (RPM) packages using one of the first package management systems, the Advanced Packaging Tool ("APT"), is going to be discontinued mid-2015. The use of APT for most purposes has been superseded by the use of "Yum", and the apt-rpm toolset has not been maintained since 2008. It is no longer usable as-is with modern RPM based formats. It may be necessary to discontinue apt-rpm support because of incompatibilities in the build environment of the IGTF distribution some time in 2015. In particular, this toolset no longer compiles or links against the v4.8 rpm development environment. This changes *does not* affect the Debian packaging of the IGTF. The Debian distribution is self-contained (in .../current/dists/) and does not share any files with the APT-RPM packages. Apt, the reference installation mechanism for Debian, will remain fully supported. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (e.g. a national or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may want to await their announcement before installing the release. They could include localised adaptations. For reference we include the links below: PRACE-RI http://winnetou.surfsara.nl/prace/certs/ EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release wLCG https://lcg-ca.web.cern.ch Open Science Grid https://software.grid.iu.edu/cadist/ Supplementary download locations -------------------------------- The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ Where possible validate trust anchors with the GEANT TACAR Repository https://www.tacar.org/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

New fetch-crl3 version 3.0.16 improving cache expiry controls
by David Groep 08 May '15

08 May '15

Dear CAs, Relying Parties, Users, and all others interested, In this announcement: 1. Updated fetch-crl3 (3.0.16) with improved cache expiry control mitigating issues with too-long cache control expirations sent by certain content delivery networks when serving CRLs ========================================================================= 1. Updated fetch-crl3 (3.0.16) with improved cache expiry control ========================================================================= Some content delivery networks (CDNs), including EdgeCast, may send HTTP cache control headers that cause fetch-crl to retain an copy of a certificate revocation list (CRL) beyond its nextUpdate time. If that happens, this CRL will be considered 'expired' and it will disable the affected CA. However, since the HTTP cache headers had previously indicated that the CRL content was still 'current' as retrieved from the CDN, fetch-crl will NOT update it. Thus, the affected CA or CAs will be 'disabled' for the period between nextUpdate and cache expiry. This currently affects the TERENA "3rd Generation" Trusted Certificate Service, which is served by DigiCert using the EdgeCast CDN. Only the EdgeCast CDN (crl3.digicert.com) is affected; the CacheFly CDN (crl4.digicert.com) does not suffer from this issue. Fetch-crl 3.0.16 implements additional checks that will force cache expiration to happen before nextUpdate (by default, nextUpdate must be at least 7 hours past the cache expiration). It will also limit the maximum time that fetch-crl will consider a CRL 'current' (by default maximum 96 hrs), regardless of cache-control headers. For documentation see http://www.nikhef.nl/grid/fetchcrl3/, and you can download the new version in RRM and source form at https://dist.eugridpma.info/distribution/util/fetch-crl/ This new version will also be available through Fedora EPEL and Debian is due time. ========================================================================= About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.63 and ancillary information
by David Groep 30 Mar '15

30 Mar '15

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.63 available 2. [repeated] Notice for system operators using the (issuer-subject) combination for identifying users ========================================================================= 1. Updated IGTF distribution version 1.63 available ========================================================================= A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.63 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.62 to 1.63 ------------------------- (30 March 2015) * Removed obsoleted and replaced NIIF CA (HU) * Extended validity period of the KEK CA (JP) * Removed obsoleted d254cc30/CERN-Root 1d879c6c/CERN-TCA anchors (CERN) * Updated RPDNC namespaces to permit DigiCert Grid Trust G2 ICAs for DigiCert Assured ID Root CA (US) * Updated RPDNC namespaces and signing_policy files for G2 series DigiCert Grid CAs pending ICA reissuance for reverse RDN issue (US) * Nomalised cond_subject syntax for multiple signing policy files cilogon-basic cilogon-silver InCommon-IGTF-Server-CA NCSA-slcs-2013 NCSA-tfca-2013 Comodo-RSA-CA Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of April 2015. ========================================================================= 2. Notice for system operators using the (issuer-subject) combination for identifying users ========================================================================= The IGTF coordinates a trust fabric that provides unique non-reassigned identifiers to end-entities (users). This means that, with the scope of the IGTF authorities, you can use the subject name as a key to e.g. community membership databases, and to assign data ownership and access rights. Several updates to this trust anchor distribution incorporate changes to the name of the issuing authority, but the name of the end-entities and the users remains exactly the same. This usually permits users to use those new issuing services without loosing (data) ownership or community memberships. However, the IGTF is aware that some systems, in particularly VOMS and VOMS-Admin, were traditionally deployed such that also the issuer was used to identify the users. To make the changes in this and future releases transparent, all operators of VOMS and VOMS-Admin services are requested to enable the subject-only name resolution mechanisms in VOMS and VOMS Admin: - on the VOMS core Attribute Authority service, configure the "-skipcacheck" flag on start-up. In YAIM this is done by setting "VOMS_SKIP_CA_CHECK" to true. See https://wiki.italiangrid.it/twiki/bin/view/VOMS/VOMSYAIMGuide - update VOMS-Admin to version >= 3.3.2, and set "voms.skip_ca_check=True" in the service properties. For more info, read the release notes at http://italiangrid.github.io/voms/release-notes/voms-admin-server/3.3.2/ For other products, please refer to the documentation provided by your supplier. Products such as Apache httpd itself and most web-based products (MediaWiki, TWiki, etc) use subject-name matching only and are thius fully compatible. No changes are needed for these and like products. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (e.g. a national or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may want to await their announcement before installing the release. They could include localised adaptations. For reference we include the links below: PRACE-RI http://winnetou.sara.nl/prace/certs/ EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release wLCG https://lcg-ca.web.cern.ch Open Science Grid https://software.grid.iu.edu/cadist/ Supplementary download locations -------------------------------- The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ Where possible validate trust anchors with the GEANT TACAR Repository https://www.tacar.org/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.62 and ancillary information
by David Groep 23 Feb '15

23 Feb '15

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.62 available 2. Notice for system operators using the (issuer-subject) combination for identifying users ========================================================================= 1. Updated IGTF distribution version 1.62 available ========================================================================= A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.62 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.61 to 1.62 ------------------------- (23 February 2015) * Added Root CA 2 for NIIF (HU) * Extended validity period for pkIRISgrid CA (ES) * Updated DigiCert root CA meta-data in preparation for TCS (US) * Included GEANT TCS CA G3 trust anchors (EU) * Temporarily suspended HIAST/74c6eaeb for operational reasons (SY) * Discontinued ULAGrid-CA-2008 CA (VE) * Discontinued NCHC CA (TW) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of March 2015. ========================================================================= 2. Notice for system operators using the (issuer-subject) combination for identifying users ========================================================================= The IGTF coordinates a trust fabric that provides unique non-reassigned identifiers to end-entities (users). This means that, with the scope of the IGTF authorities, you can use the subject name as a key to e.g. community membership databases, and to assign data ownership and access rights. Several updates to this trust anchor distribution incorporate changes to the name of the issuing authority, but the name of the end-entities and the users remains exactly the same. This usually permits users to use those new issuing services without loosing (data) ownership or community memberships. However, the IGTF is aware that some systems, in particularly VOMS and VOMS-Admin, were traditionally deployed such that also the issuer was used to identify the users. To make the changes in this and future releases transparent, all operators of VOMS and VOMS-Admin services are requested to enable the subject-only name resolution mechanisms in VOMS and VOMS Admin: - on the VOMS core Attribute Authority service, configure the "-skipcacheck" flag on start-up. In YAIM this is done by setting "VOMS_SKIP_CA_CHECK" to true. See https://wiki.italiangrid.it/twiki/bin/view/VOMS/VOMSYAIMGuide - update VOMS-Admin to version >= 3.3.2, and set "voms.skip_ca_check=True" in the service properties. For more info, read the release notes at http://italiangrid.github.io/voms/release-notes/voms-admin-server/3.3.2/ For other products, please refer to the documentation provided by your supplier. Products such as Apache httpd itself and most web-based products (MediaWiki, TWiki, etc) use subject-name matching only and are thius fully compatible. No changes are needed for these and like products. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (such as a national e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI and others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.61
by David Groep 01 Dec '14

01 Dec '14

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.61 available ========================================================================= 1. Updated IGTF distribution version 1.61 available ========================================================================= A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.61 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.60 to 1.61 ------------------------- (1 December 2014) * Added new IPv6-capable crl_url entries for NCSA and CILogon CAs (US) * Added accredited TSU (Georgia) CA (GE) * Extended life time and updated digest function of AustrianGrid CA (AT) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of January 2015. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (such as a national e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI and others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.60
by David Groep 27 Oct '14

27 Oct '14

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.60 available ========================================================================= 1. Updated IGTF distribution version 1.60 available ========================================================================= A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.60 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.59 to 1.60 ------------------------- (27 October 2014) * Added new SHA-2 hierarchies for TERENA Certificate Service (ed. 2009) (EU) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of November 2014. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (such as a national e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI and others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

Updated IGTF distribution 1.59 and end-of-life pre-announcement for Yum2 headers support
by David Groep 29 Sep '14

29 Sep '14

Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.59 available 2. End of support for RPM yum version 2 (headers) distributions in 2015 ========================================================================= 1. Updated IGTF distribution version 1.59 available ========================================================================= A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.59 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.58 to 1.59 ------------------------- (release date 2014-09-29) * Added accredited mics HPCI CA (JP) * Updated crl_url for NCSA-slcs-2013 and NCSA-tfca-2013 (US) * Renamed QuoVadis classic grid issuing CA to QuoVadis-Grid-ICA (CH, BM) NOTE: although this appears to obsolete the SWITCH-QV intermediate trust anchor, it is merely a re-naming. The new QuoVadis-Grid-ICA provides the same trust anchor and will continue to support the Swiss subscriber base of QuoVadis without any change. Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of October 2014. ========================================================================= 2. End of support for RPM yum version 2 ("headers") distributions in 2015 ========================================================================= The IGTF distributes repositories of trust anchors packaged in the RPM Package Manager format as usd by many GNU/Linux distributions. These repositories come pre-populated with package meta-data used by the Yellowdog Updater, Modified (yum) in two formats: headers (used by yum versions 1 and 2, and XML repodata (yum version 3+). The main platform(s) supported by rpm and yum are Fedora Core, RHEL, and CentOS. The versions of these distributions that depend on yum version 2 and the 'headers' meta-data are now no longer supported, and in the long term the IGTF will no longer be able to generate yum-2 'header' meta-data for these repositories. This affects Fedora Core 1, 2, and 3, CentOS 3.x, and RedHat Enterprise Linux 3 when used with yum. The last one (RHEL3) has reached end of extended life phase in January 2014. Starting in January 2015, IGTF repositories may no longer contain the 'headers/' directory with meta-data and thus will no longer support yum version 2. Relying parties depending on the use of yum version 2 must thereafter (re)generate the relevant repository meta-data. This change *does not* impact CentOS, nor RHEL4 (end of extended life foreseen for March 31, 2017), nor FC4, nor later versions of the listed operating system distributions. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (such as a national e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI and others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at <info(a)eugridpma.org> or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information. -- David Groep ** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group ** ** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **

1 0

← Newer
1
...
5
6
7
8
9
10
11
...
16
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

eugridpma-announce