From: David Groep Date: Thu, 11 January 2007 10:00:00 +0200 Subject: New IGTF distribution version 1.11 available Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the EUGridPMA: 1. Location of distribution site changed to dist.eugridpma.info 2. New IGTF distribution version 1.11 available We hope that you find this update useful and welcome any comments you may have. Also, feel free to redistribute this information widely as you see appropriate. For more information about this newsletter and the mailing list, please refer to the EUGridPMA web site at https://www.eugridpma.org/ ========================================================================= 1. Location of distribution site changed to dist.eugridpma.info ========================================================================= In order to increase reliability and improve fault containment, the EUGridPMA web site and distribution location has been changed. From now on, the trust anchor distribution is served by a separate, stand-alone system that serves only this static content: http://dist.eugridpma.info/distribution/ Deep-redirection is provided from the old download location (formerly at http://www.eugridpma.org/distribution/) to the new one at http://dist.eugridpma.info/distribution/ so all old links will continue to work as expected. The trust anchors in the distribution directory continue to be digitally signed with the EUGridPMA PGP key (see details at the end of this newsletter). *** PLEASE UPDATE THE DOWNLOAD LOCATIONS *** Why a new top-level domain name? A new top-level domain (.info) has been chosen to host the static distribution content of the EUGridPMA. This should better guards against rash and inappropriate actions of the ".org" TLD operator (Enom, Inc.) when faced with issues on the eugridpma.org web site (which, due to the fact that it also hosts dynamic and interactive content, is inherently more prone to compromise and computer security incidents). Since the web sites within the "eugridpma.info" domain only serve static content, and are hosted on a dedicated system, a compromise of these systems is expected to be less likely. Since the .info TLS is operated by a different company (Afilias Ltd.), this is expected to provide an additional level of certainty. In case of trouble with either TLD, the eugridpma.org or .info site will be made available through the other TLD. ========================================================================= 2. New IGTF distribution version 1.11 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members. This is version 1.10, release 1, and it is now available for download from the Repository at https://dist.eugridpma.info/distribution/igtf/current/ or https://dist.eugridpma.info/distribution/igtf/1.11/ and this repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Changes from 1.10 to 1.11 ------------------------ (11 January 2007) * updated signing policy files for SWITCH CA (CH) * change crl_url from https to http for KEK (JP) * change crl_url from https to http for AIST (JP) * extended lifetime of ESnet (+10y) and DoEGrids (+5y) CA certs (US/DoE) * withdrawn Russian DataGrid CA (has been superseded by RDIG) (RU) You can download the new packages and install them at your convenience. If you part of a coordinated-deployment project (such as OSG, EGEE, LCG, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. Next Release ------------ The next release of the CA RPMs is to be expected in February 2007 (of course barring special circumstances). ========================================================================= STANDARD CLAUSES AND REPEATED NOTICES: Distribution information ========================================================================= Notice on directory structure ----------------------------- *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic-1.11-1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** The Fermilab Kerberized CA, although not an accredited CA according to the "classic" profile, has been available from the EUGridPMA repository before in the "others/" directory. Due to the reorganization, this authority has moved to the "experimental/" area. When the KCA has been accepted by the TAGPMA, the location of this authority will change. *** All individual CAs packages, as well as the bundles, have the same (common) version number "1.11" and release "1". Distribution formats -------------------- * the distribution traditionally contained a set of RPMs and tar-balls per accredited authorities, as well as meta-RPMs that depends on the RPMs of those accredited. * the "tar-bundle" that can be used to install the authorities in a local trust directory using the "./configure && make install" mechanism has been renamed to avoid confusion. It is called: igtf-policy-installation-bundle-1.11.tar.gz It has the same functionality and can still be found in the "accredited/" subdirectory. * the accredited directory now contains two additional tar-balls that contain, respectively, *all* "classic" and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-1.11.tar.gz igtf-preinstalled-bundle-slcs-1.11.tar.gz (note there are no SLCS-accredited authorities at this time) * those CAs whose key-length is less than 4095 bits are also available in a Java KeyStore (JKS), whose password is "eugridpma". These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-1.11.jks" in the "accredited/jks/" sub-directory. APT and Yum ----------- As always, the repository is suitable for "yum" based automatic updates, by adding to the yum.conf file: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 Also "apt" is supported. For details, see http://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. RPM GPG signing --------------- Also this new RPM distribution is distributed with GPG-signed RPMs. The key (ID 3CDBBC71) has been uploaded to the public key servers, along with my signature as the EUGridPMA Chair (keyID 6F298418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TACAR trusted repository (https://www.tacar.org/) where possible. Suggestions ----------- If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the PMA at . Note that there is be a common distribution format across the entire IGTF (i.e. all three PMAs).