RC: Need a considerations SOmething like -what happens when you have your own CA distribution to integrate Expired CRLs for Swiss hierarcy other use cases DK: How do I know that I got the correct distribution? DG: THere are 2: the machine is a dedicated server the distro is signed by a PGP key DEISA - need to add add'l certs We say, check it with TACAR This is an important requirement A TACAR download URL as part of the info file? MS: The accreditation presentation meeting should be the one where the TACAR submission takes place R: It's possible to have the TACAR Process take place in stages, once a first meeting takes place then there is enough trust anchor information exchanged with a TACAR Representative to complete key submission later. CK: I would like one process and clearly described TACAR fills a hole in our process A picture of where TACAR and IGTF distro fit together &c A flow chart of how you get thru the process RC: WHat is the point of messing w/ TACAR if you have gotten thru the IGTF distro process? Perhaps we should make it a requirement to get into TACAR? List of CAs in IGTF not in TACAR Consider including the "README" in part 3. R: Why put everything in 1 document? User/maintainer doesn't care about each others; issues JJ: THere are other CAs we want to distribute - tutorial/training We need a "low assurance" or some extension of experimental directory 4.1.2 - who is consuming this info TACAR url would go here DG: I generate the keystores with at least 1 key of less than 4095 bits - this is what is needed; using jks 1.4; we may upgrade to 1.5 or 1.6 Discussion: maybe 1.6 has the 4096 bit problem solved DG: Does a 1.6 keystore work with 1.4 jvm? The RPMs have an internal signature Just the big bundle has a detached sig Nothing else has a signature PGP In RPM - RPM is quite picky about which kinds of PGP keys it will use - APT will catch signatures changing Some repackagers- the NOrduGrid - does re-sign the packages. THe java keystore passphrase is the empty string. 5.1.2 - notifications about updates CVS Notices go somwehere - probably to Anders - who had asked for it. WHne the distro manager builds a distro, gets a report of all changes from the last update of the local copy of changes. The committers should be required to notify the distro manager. IGTF TAgging standard IGTF_v_ JJ: We need a signing_profile document - how to write one of them The EACL file does exist THe namespace policy file does exist - No software uses this yet, but the namespaces are generated for each CAa What about PGP keys - should they be distributed? ANd TACAR & IGTF distro - they are collocated in AMsterdam! R: Backup? DG: They are typically online A backup of all these hosts is in an offline 1 copy locally 1 copy about 200 km away Also an online on a machine just below R: How much data? Encrypt & store on another PMA 6.3 EG not LCG Do we need to split doc or not? What do we need to fix? mwh will do some changes based on notes at this discussion