From: David Groep Date: Mon, 7 Feb 2011 14:00:00 +0100 Subject: Updated IGTF distribution 1.38 and format change Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.38 available 2. Distribution format changes in the wake of OpenSSL version 1 3. New version 3 of the CRL retrieval tool fetch-crl available ========================================================================= 1. Updated IGTF distribution version 1.38 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.38, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (OpenSSL v1 compatible format) *** note that the default format changed in this release *** Changes from 1.37 to 1.38 ------------------------- (7 February 2011) * Updated meta-data info file for SRCE (HR) * Updated KEK CA root (617ff41b) with extended life time (JP) * Updated contact email address for ArmeSFo (AM) * Extended allowed namespace and new URL for SEE-GRID CA as EGI catch-all (EU) * Extended allowed namespace for NAREGI CA (JP) * Added accredited CILogin MICS CA (US) * Extended life time for NCSA CACL (MICS) CA (US) * Extended life time for NCSA MyProxy (SLCS) CA (US) * Extended life time for NorduGrid CA (DK,NO,SE,FI,IS) * Corrected namespaces file for TCS eScience Personal (EU) This 1.38 release has been built with RPM version 4.4.2.3 and Java 1.6. If you are part of a coordinated-deployment project (such as a national grid infrastructure, EGI, OSG, PRACE, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ Next Release ------------ The next release of the distribution is expected in April 2011. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This distribution comes in two (2) formats. The primary format for this release supports OpenSSL v1 and is designed to be backwards compatible with the old distribution format. If you experience issues with the new format, the old non-OpenSSL-v1 version is still available at https://dist.eugridpma.org/distribution/igtf/current-old/ but you should upgrade as soon as practically possible. This 1.38 will be the LAST VERSION that has such a compatibility package. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= 3. New version 3 of the CRL retrieval tool available ========================================================================= Downloading CRLs is a critical component in keeping the integrity and security of the trust fabric -- and CRLs should be updated frequently (preferably several times per day). To facilitate automated retrieval of certificate revocation lists (CRLs) by relying parties, the 'fetch-crl' utility is distributed by the IGTF. This tool has been redesigned completely to incorporate new features: - support for OpenSSL version 1 and dual-hash trust anchor naming - parallel downloads to speed up retrieval (from minutes to seconds) - built-in caching support to reduce bandwidth consumption - site- and infrastructure-level fail-over and override mechanisms Relying parties are encouraged to upgrade to this new version 3, available from the EUGridPMA web site and from popular Linux distribution (add-on) repositories such as Fedora, Debian and EPEL. Fetch-crl3 is independent of any software suite and can be used in conjunction with all popular OpenSSL, BouncyCastle and NSS based products. https://dist.eugridpma.info/distribution/util/fetch-crl3/ The documentation and full list of features can be found at http://www.nikhef.nl/grid/fetchcrl3/ Fetch-crl3 is made available under the Apache License version 2.0. The 2.8 series fetch-crl will remain supported until Q2 2012 but new features will no longer be added. Support for the 2.7 series will end on March 31st, 2011. ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.