From: David Groep Date: Mon, 27 Jun 2011 11:00:00 +0100 Subject: Updated IGTF distribution 1.39 and migration to Fetch-crl version 3 Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.39 available - Changes in 1.39 - Debian APT support - Use in coordinated-deployment infrastructures - Next release - Dual-hash OpenSSL v1 support 2. New version 3 of the CRL retrieval tool Fetch-crl We STRONGLY ADVISE everyone to upgrade to Fetch-crl version 3. It is necessary for out-of-the-box OpenSSL v1 support and brings signficant stability improvements and has features for resiliance. Download it from https://dist.eugridpma.info/distribution/util/fetch-crl3/ ========================================================================= 1. Updated IGTF distribution version 1.39 available ========================================================================= A new distribution of Accredited Authorities by the EUGridPMA, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities by all IGTF Members and retires expiring CA certificates. This is version 1.39, release 1, and it is now available for download from the Repository (and mirrors) at https://dist.eugridpma.info/distribution/igtf/current/ *** note that the default format is now OpenSSL v1 compatible *** Changes from 1.38 to 1.39 ------------------------- (27 June 2011) * Change of contact address for NAREGI CA (JP) * Change of contact address for GermanGrid CA (DE) * Added accredited classic HIAST CA (SY) * Added accredited classic Uni Andes CA (CO) * Extended life time of root certificate for SiGNET-CA (SI) * Extended life time of root certificate for Grid-Ireland (IE) * New issuing certificates (2A, 2B) for UKeScience (GB) * Updated extensions for DOEGrids-CA-1 issuing CA (US) Changes to unaccredited information: * Added experimental DZeScience CA (DZ) * Extended life time for unaccredited Benelux and NE tutorial CA cert and re-rooted namespace to new domain name (NL,BE) * Added worthless replacement gilda 2011 CA (IT) Debian APT support ------------------ The IGTF distributed the trust anchors in various formats. This release adds an 'apt' compliant repository for Debian-based distribution as an experimental service. For details, see https://dist.eugridpma.info/distribution/igtf/current/dists/README.txt Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (such as a national grid infrastructure, EGI, OSG, PRACE-RI, DEISA, NAREGI or others) you may want to await your project announcement before installing this release. The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updates substantially. Current estimated but the next release of the distribution in Septmber 2011. Dual-hash OpenSSL v1 support ---------------------------- This distribution comes in two (2) formats. The primary format for this release supports OpenSSL v1 and is designed to be backwards compatible with the old distribution format. If you experience issues with the new format, the old non-OpenSSL-v1 version is still available at https://dist.eugridpma.org/distribution/igtf/current-old/ but you should upgrade as soon as practically possible. Subsequentl releases may withdraw this legacy format without further notice. For more information, please refer to the February 15th 2010 newsletter: https://www.eugridpma.org/newsletter/eugridpma-newsletter-20100215.txt ========================================================================= 2. New version 3 of the CRL retrieval tool available ========================================================================= Downloading CRLs is a critical component in keeping the integrity and security of the trust fabric -- and CRLs should be updated frequently (preferably several times per day). To facilitate automated retrieval of certificate revocation lists (CRLs) by relying parties, the 'fetch-crl' utility is distributed by the IGTF. This tool has been redesigned completely to incorporate new features: - support for OpenSSL version 1 and dual-hash trust anchor naming - parallel downloads to speed up retrieval (from minutes to seconds) - built-in caching support to reduce bandwidth consumption - site- and infrastructure-level fail-over and override mechanisms Relying parties are encouraged to upgrade to this new version 3, available from the EUGridPMA web site and from popular Linux distribution (add-on) repositories such as Fedora, Debian and EPEL. Fetch-crl3 is independent of any software suite and can be used in conjunction with all popular OpenSSL, BouncyCastle and NSS based products. https://dist.eugridpma.info/distribution/util/fetch-crl3/ The documentation and full list of features can be found at http://www.nikhef.nl/grid/fetchcrl3/ Fetch-crl3 is made available under the Apache License version 2.0. The 2.8 series fetch-crl will remain supported until Q2 2012 but new features will no longer be added. The 2.7 series is no longer supported. ========================================================================= REPEATED NOTICES ========================================================================= This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.eugridpma.info/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.