From: David Groep info@eugridpma.org Date: Tue, 20 May 2006 12:00:00 +0200 Subject: New version of "fetch-crl" available and selected CRL issues
Dear CAs, Relying Parties, Users, and all others interested,
In this announcement of the EUGridPMA:
1. Clock skew problem with HellasGrid and SEE-GRID CAs resolved 2. Fetch-CRL utility updated to deal with CRLs issued in the future
We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate.
Regards, David Groep
For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/
========================================================================= 1. Clock skew problem with HellasGrid and SEE-GRID CAs resolved =========================================================================
The following information is provided courtesy of the HellasGrid and SEE-GRID-Catch-all Authorities:
A problem came into our attention regarding all the CRLs issued by both HellasGrid and SEE-GRID CA starting from 5/5/2006.
For an unknown reason there was a clock skew of the computer running the CA off-line services which resulted in setting the clock 23 days forward in the future. [...] The result was that CRLs were issued and published with the last update field having the date 28 May.
We have generated a new CRL with the current date that will fix the problem [..], but a new [...] problem has been introduced. The [previous version of] edg-fetch-crl, used by many Grid sites, performs a check on the value of the last update field and refuses to download a CRL that has a date older than the currently installed CRL (logging an error via syslog).
This problem has been resolved as of May 19th, 11:26 hrs GMT.
In order for this new CRL to be correctly processed by the fetch-crl utility, which is provided as a service by (amongst others) the EUGridPMA, relying parties that use this version of fetch-crl should upgrade to the latest version. Unless you upgrade to the new version of fetch-crl, the new, correct, CRLs for the HellasGrid and SEE-GRID CAs will NOT be retrieved. Please see section 2 of this announcement for details.
[thanks to Christos Kanellopoulos for the analysis of this issue]
========================================================================= 2. Fetch-CRL utility updated to deal with CRLs issued in the future =========================================================================
As a courtesy service to the community, the EUGridPMA provides the "fetch-crl" utility - originally developed by Fabio Hernandez, CC-IN2P3 - to periodically retrieve CRLs from the web sites of the certification authorities. This utility is extremely careful in not replacing CRLs that already exist locally by ones that are downloaded from the web. Versions up to and including EGP-2.5.1 are slightly too careful, and will also refuse to install a newly downloaded correct CRL if the currently installed one has a issuance date in the future. Thus, versions <= EGP-2.5.1 cannot be used to retrieve the corrected CRLs issued by the HellasGrid and SEE-GRID CAs on May 19th.
A new version of fetch-crl (EGP-2.6.0) that corrects this issue, as well as adding a non-suppressable warning about newly-downloaded but not-yet-valid CRLs, is now available from the EUGridPMA web site at:
http://www.eugridpma.org/distribution/util/fetch-crl/
in RedHat Package Management (RPM) and gzipped-tarball format.
Changes in version EGP 2.6 -------------------------- (2006.05.20)
* if the current local CRL has a lastUpdate time in the future, and the newly downloaded CRL is older that the current one, allow the installation of the newly downloaded CRL and issue a warning. * added non-suppressable warning in case the newly downloaded CRL has a lastUpdate time in the future, but install that CRL anyway (as the local clock might have been wrong).
Installation that use YUM package management can add
http://www.eugridpma.org/distribution/util/
to their yum.conf file and upgrade in that way.
========================================================================= Additional Information =========================================================================
Notice: The next release of the IGTF Accredited Authority distribution is expected in early June, 2006.