From: David Groep Date: Mon, 25 Nov 2013 12:00:00 +0200 Subject: Updated IGTF distribution 1.55 - with deployment notices Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.55 available 2. SPECIAL NOTICE for the NorduGrid CA update 3. End of single-hash distribution format ========================================================================= 1. Updated IGTF distribution version 1.55 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.55 release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ Changes from 1.54 to 1.55 ------------------------- (25 November 2013) THIS RELEASE IS THE LAST ONE ALSO TO BE DISTRIBUTED IN SINGLE HASH FORMAT * New root certificate with extended life time for NorduGrid CA 1f0e8352 (DK) * Updated contact metadata for all RENATER Grid-FR related CAs (FR) * Updated CRL URL and metadata for IHEP 2013 CA 39d30eba (CN) * New root certificates for NCSA CA re-key: MyProxy CA 2013 c36f6349/7aa2b7bd and Two Factor CA 2013 ca157cee/48c8f10a (US) * New root certificate for EGI catch-all CA "SEEGRID-CA-2013" 772dbd1c (GR) * Removed AIST Grid CA (JP) * Discontinued IUCC CA (6fee79b0) following migration to TCS (IL) * Suspended JUnet-CA (b3222f9e) (JO) * Removed expired unaccredited CAs (misc) * Added unaccredited worthless NL e-Infra Zero tutorial CA 338a3561 (NL) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of January 2013. ========================================================================= 2. SPECIAL NOTICE for the NorduGrid CA update ========================================================================= The renewed NorduGrid CA root certificate (OpenSSL0.x hash 1f0e8352) for technical reasons was re-issued with the same serial number. This is known to cuase issues in selected software products, including some web browsers (both NSS based products as well as Internet Exporer) and in some distributed computing software (in particular the EMI CANL library). It ONLY affects cases where BOTH client AND server use the NorduGrid CA. You may experience authentication failures between clients and servers that mutually authenticate, and BOTH use the NorduGrid CA (e.g. a computing service authenticating to a VOMS server for retrieving information), and where the client sends the full certificate chain. Selected PKI libraries, in particular including the EMI CANL, may fail to authenticate if client and server use different versions of the NorduGrid CA (e.g. because the server was upgraded to 1.55 and the client is still at 1.54). For technical reasons it is not possible to avoid this condition, and you are advised to upgrade both sides to version 1.55 as soon as practical to resolve this condition. For more information, please refer to the NorduGrid CA: http://ca.nordugrid.org/ ========================================================================= 3. End of the single-hash distribution format ========================================================================= This 1.55 release will be the last one which is distributed also in a format containing solely the OpenSSL0.x type "MD5" hashed names of the trust anchor subjects. A new format was introduced in January 2010 to accomodate both the OpenSSL 0.x as well as the OpenSSL 1+ style hashes, using an approach of symlinking on POSIX-compliant platforms (akin to the model used by OpenSSL itself). On non-POSIX platforms, the alias name of the CA is used instead, for example in the Java Key Store format. For a while, some software producs were not able to deal with this dual-hash format, but these products have since been replaced by more recent versions and all software known to the IGTF since mid-2012 is capable of supported the dual-hash format. Given the complexity of retaining the single hash format in the face of more diverse CAs, we will hereby withdraw the old format completely. As of 1.56, no single hash format will be published. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (such as a national e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI and others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.