From: David Groep Date: Fri, 11 Jun 2010 16:00:00 +0100 Subject: Updated IGTF distribution version 1.35, new version of fetch-crl Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.35 available 2. Distribution format changes in the wake of OpenSSL version 1 (repeated annoucement) 3. New version of fetch-crl 2.8.5 ========================================================================= 1. Updated IGTF distribution version 1.35 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.35, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ (traditional format) https://dist.eugridpma.info/distribution/igtf/1.35-new/ (new format) Changes from 1.34 to 1.35 ------------------------- (11 Jun 2010) * Updated root certificate for SRCE with new extensions and life time (HR) * Updated root certificate for ROSA with new AKI extension and serial (RO) * Removed obsoleted CAs from experimental area (US) If you part of a coordinated-deployment project (such as a national grid initiative, OSG, PRACE, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/current Next Release ------------ The next release of the distribution is expected in August 2010. ========================================================================= 2. Distribution format changes in the wake of OpenSSL version 1 ========================================================================= IMPORTANT NOTICE ---------------- This 1.35 distribution comes in two (2) formats. The primary format for this 1.35 release is the 'current' one, which has no changes. A 'new' format, available for your evaluation as of this release at: https://dist.eugridpma.info/distribution/igtf/1.35-new/ supports also OpenSSL v1 and is designed to be backwards compatible with the current distribution format. *** YOU ARE INVITED TO EVALUATE THIS NEW DISTRIBUTION FORMAT NOW *** In a subsequent release (1.35 or 1.36), the 'default' distribution will change to the new format and the current format will be depricated and only available via a special URL. The default download location https://dist.eugridpma.org/distribution/igtf/current/ will then point to the new-format distribution. Releases after 1.36 (Autumn 2010) may withdraw this then-depricated format and from then on only the 'new' format will be distributed. For more information, please refer to the February 15th newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= 3. New version of fetch-crl 2.8.5 ========================================================================= The fetch-crl utility has seen some major improvement over the last year, and the new 2.8 series is now fully compliant with common GNU/Linux packaging conventions as used by for example Feroda, Debian and RedHat Enterprise Linux. We would like to thank Steve Traylen (CERN) and Mattias Ellert (Uppsala University) for their efforts in incorporating fetch-crl in these distributions. Some key changes in 2.8: * Configuration file has moved from /etc/sysconfig to /etc/fetch-crl.conf * New init scripts and a cron job entry have been added to allow management of fetch-crl via the chkconfig mechanism, and a chkconfig compliant init script is included (it is not enabled by default, though) as well as these improvements: * installed CRL file are re-checked for validity to catch file system errors and local disk corruption. When possible, it will try to restore a backup copy. Such failures are not subject to aging tolerance. * Improved support for multiple CRL URLs by downloading until a success is achieved, instead of downloading all of them * a "random wait" period can be added to prevent network load spikes. This is recommended in case the job is run from cron. * better compliance with SELinux, where the file context of CRL files is now preserved Remember that the aging tolerance flag, introduced in 2.6, includes a 24 hour grace period to allow for network interruptions. This reflects the suggested grace period of the IGTF. You can explicitly set the aging tolerance for network interruptions using the "-a" command-line argument, or the configuration file setting You can download the latest version of fetch-crl from: https://dist.eugridpma.info/distribution/util/fetch-crl/ from your local IGTF mirrors, and of course from Fedora, EPEL and Debian. A complete re-write of fetch-crl (Fetch-crl3) is currently in beta- testing and will add more features as well as scalability and redundancy options. It will also be the first version to support OpenSSL1 and the Mozilla NSS systems. Users interested in participating the beta programme are invited to contact the EUGridPMA at ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file containes important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.