From: David Groep Date: Tue, 12 Jul 2005 12:00:00 +0200 Subject: EUGridPMA News and the new Accredited CA distribution 0.30 Dear CAs, Relying Parties, Users, and all others interested, This is the EUGridPMA "announcements" news letter to keep relying parties and other interested parties informed of important news regarding your trusted certification authorities. In this announcement of the EUGridPMA: 1. New distribution (0.30) to include new CAs and important changes 2. International Grid Trust Federation (IGTF) to extend trust fabric to a global level about to be established 3. Overview of changes for member authorities We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. Regards, David Groep For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. New distribution version 0.30 ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, release version 0.30, is now available for download from the EUGridPMA Repository https://www.eugridpma.org/distribution/current/ You can download the new packages and install them at your convenience. Changes from 0.29 to 0.30 ------------------------- (12 July 2005) * Added IHEP CA for China * Added DFN GridGermany CA (Root, User and Server CAs) * Added RDIG CA (will replace the Russian DataGrid CA) * New namespace allocation for the IUCC CA: "/C=IL/O=IUCC/*" * Added updated CESNET Root cert and renamed the old one to "CESNET-old" for legacy compatibility. The new CESNET CA started operating on June 17th * RPMs are now signed (experimentally) with PGP keyID 3CDBBC71. This key, the "EUGridPMA Distribution Signing Key 3" can be obtained from the popular PGP key servers, where it has been signed by the current Chair, David Groep. It can also be downloaded from the web distribution site: GPG-KEY-EUGridPMA-RPM-3 For those using RPM based linux distribution, a "meta-RPM" is available from the repository, ca_policy_eugridpma-0.30-1.noarch.rpm, that contains dependencies on the RPMs of all accredited CAs. The repository is suitable for "yum" based automatic updates. This is the first RPM distribution that will (on an experimental basis) used GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. The next release of the CA RPMs is to be expected around August 2005, (of course barring special circumstances). The format of those new releases is currently under considation. If you want to contribute to the discussion or to suggest improvements to have it better suit your needs, please contact the PMA at . There will be a common distribution format across the entire IGTF (i.e. all three PMAs). ========================================================================= 2. The International Grid Trust Federation Developments ========================================================================= Over the last year significant progress has been made in building consensus on common trust mechanisms both in Europe, the Asia-Pacafic Region and in the America's. As early as 2002, during GGF7, the "Tokyo Accord" set the direction to move towards a common, global, trust fabric that will enable relying parties to easily evaluate certification authorities by using common guidelines. There are now three "regional" PMAs. Apart from the EUGridPMA, there is one in the Asia-Pacific region (www.apgridpma.org) and at GGF14 the Americas Grid PMA (www.tagpma.org) was formally established. All three PMAs have agreed to use a common set of "authentication profiles" to which authorities will be accredited. This also means that all accredited CAs, regardless of their location in the world and regardless of the accrediting PMA, meet or exceed the same set of minimum requirements. You, as relying parties, will then be able to more effectively assess CAs worldwide, and incorporate these efficiently in your trust infrastructure. The current EUGridPMA Minimum Requirements will constitute the first authentication profile, that of "Classic X.509 CAs with secured infrastructure" (shortname "classic"). The foundation of the IGTF is foreseen for the very near future. The EUGridPMA will keep you informed about further developments in this area. For more information, please see the IGTF web site: http://www.gridpma.org/ ========================================================================= 3. Overview of changes for member authorities ========================================================================= The following CP/CPS changes were approved by the EUGridPMA. The modification of the policy documents by the authorities below comply with the minimum requirements and have been reviewed by the PMA. They are listed below for informational purposes to our relying parties: * New authorities accredited under the "classic" profile include the DFN (Deutsche Forschung Netz) Grid-PKI, the IHEP (China) CA, and the Russian Data Intensive Grid CA (which will replace the Russian DataGrid CA). * UK e-Science CA A new CP/CPS took effect on May 15th. It does not affect procedures except to tighten them. The current practice is described in more detail. See http://www.grid-support.ac.uk/ca/ for the new version * Grid-FR The emailAddress name component has been removed from all certificate subject names. * GermanGrid CA (GridKA-CA) New policy version 1.2 clarifies wording, especially in sections 3.1.9 Authentication of Individual Identity. * CESNET The CESNET CA is switching both the software and the hardware (HSM based) which means that the procedures are going to change rather fundamentally (that's why the major version number was changed). More information on the CESNET CA web site http://www.cesnet.cz/pki/