EUGridPMA Technical Documentation

IGTF
APGridPMA
TAGPMA
REFEDS
SCI
WISE

Documents
Charter
Guidelines
One Statement Policies

CAOPS-WG
Wiki

Technical Info
CA Distribution download
Subject Locator
Find your local CA
About your certificate

Newsletter issues
Subscribe
Service notices

Tools download and fetch-crl
Technical documentation
IGTF OID Registry
SHA-2 timeline

Meetings
Karlsruhe, DE, October 1-3, 2025
Prague, CZ, May 14-16, 2025

Overview
Agendas
Intranet and Reviews (closed)

EUGridPMA Technical Documents

Namespace constraints file format and semantics (Adobe PDF) (MS Word)
This document describes the format and parsing rules for the namespaces file as shipped with the EUGridPMA and IGTF distributions of the accredited authorities. It augments the existing signing_policy scheme for relying-party defined name constraints on the valid subject identifiers from trusted identity providers.
This document describes the specific expression of this namespace constraints policy as a policy file stored in a file system, and on the processing and interpretation semantics of the policy file by compliant software implementations.
Related links:
- Releases from 1.1 up contain the namespaces files
EACL signing_policy file format
This document describes the signing_policy file format used by the Globus Toolkit "OLD-GAA" API to restrict the subject signing namespace.
Note that due to implementation limitations in all Globus Toolkit versions, the EUGridPMA and IGTF only use positive rights EACL rules.
- eacl-signing-policy-format.txt
OID for Proxy Delegation Tracing
This document defines the OID allocation from the IGTF used for experimental proxy certificate delegation tracing. It assigns OID arc 1.2.840.113612.5.5.1.1.1 for the use of identifying attributes in RFC 3820 proxy certificates that facilitate the tracing of delegations in a proxy certificate chain.
- OIDProxyDelegationTracing.pdf
HASHRAT SHA-1 Hash Function Risk Assessment
The most-commonly used hash algorithm in IGTF PKI implemention today is SHA-1, which is however increasingly vulnerable to attacks and its continued use may soon start posing a threat to the IGTF PKI. However, moving to a more modern hash like SHA-2 (or soon SHA-3) has operational consequences for the e-Infrastructure relying on the IGTF PKI in that not all software implementations can currently work with SHA-2. In this document we assess the risk to attacks on SHA-1 with respect to the integrity of the trust fabric and the impact of moving to SHA-2 at a given point in time on the operational infrastructure
- Current SHA1Risk document (PDF)
- Current SHA1Risk document (MSWord)
Registration Practice Statement
The RPS outlines the procedures that the community members of the Registration Authority follow to comply with the Profile. A Registration Authority (RA) responsible for the verification prior to the issuance of credentials issued under the Policy.
- Registration Practices Statement template(PDF)
- Registration Practices Statement template(MSWord)

Comments to David Groep. This site is hosted at Nikhef, subject to the privacy policy.