Wednesday 28 March 2007

IGTF release 1.13

As you may have seen, there is a new IGTF release. In case they are still hiding the changelog from you, here is my annotated version:

* Added BG.ACAD CA accredited under the classic profile (BG)

This is Bulgaria. They are new - welcome on board.

* Added SWITCHaai SLCS and (classic) Root CA (CH)
NOTE: the SWITCHaai SLCS CA is included in the ca_policy_igtf-slcs bundle

Ah. This one is a biggie. As you may know, the Swiss are into Shibboleth, like we are (or will be) in the UK, except they are further ahead with deployment. This CA is one that enables users within the Swiss Shibboleth federation to generate certificates via a CA which is effectively a Shibboleth SP (Service Provider).

The SLCS (short lived credential service) flavour CAs are _very_ different from the CAs that we know and love. Basically the identity is being managed by institutional databases outside the CA. FNAL, which is trusted by LCG but not yet accredited, is one such example. The Switch one is different again because identities are being managed by several institutions, namely everyone in the Swiss Federation, and thus also everyone who will later join that federation. Moreover, the identity management at the institutions cannot in general be audited because it is private to themselves. But in the Swiss case DNs will have the institution's name embedded in them (except for one generic catch-all institution, the Virtual Home Organisation, which is operated by SWITCH (Swiss NREN) itself), so you can in principle accept certain institutions via the signing policy file. Nevertheless, although the internal identity management may be solid gold, for these reasons the assurance of the SLCS-profile CA is considered (slightly/somewhat) lower than the usual "classic" profile.

This is also why SLCS-profile CAs are in a separate bundle.

Here is a list of the participating institutions:
http://www.switch.ch/aai/participants/homeorgs.html

Incidentally, I was one of the reviewers of this CA. I know the operators personally and have no doubt they will do a good job, but of course I do not know the identity managers in the institutions.

Note that the federation is otherwise mostly used for access to e-learning resources which in some sense are "cheaper" than Grid resources, but it also gives access to a Microsoft software download page and an "Internet Remote Emulation Experiment Platform" which could be considered as "expensive" as Grid resources. So the id management bar is probably high enough for our purposes.

* Extended lifetime of CyGrid CA to 2013 based on same key pair (CY)

Yep. Will cause usual headaches with Firefox and other NSS-based browsers, but this will have a low impact. The old certificate doesn't expire till Feb 2008 so there is no urgency.

However, they have now set the keyUsage extension (correctly) which all CA certificates ought to have, and they have made the basicConstraints extension critical (which it should be). The old certificate was not standards (RFC and IGTF) compliant (but would have worked anyway).

* Updated ArmeSFO CA root certificate following TACAR (AM)

This change looks minimal. What happened was they have updated the OID of their CP/CPS and the new CA certificate contains this updated CP/CPS OID (note this is almost always a bad idea).

More importantly for the rest of you is that the CA's revocation URL has been updated to a mirror of the CRL which hopefully will have higher availability than the default location. So the update to the .info file will give you the Armenia CRL with higher reliability. It matters less for the CA certificate itself but there may be some software - Internet explorer springs to mind - that checks the reference, so this will mean a shorter annoying wait before the software accepts stuff signed by it.

* Discontinued old (pre-2004) LIP CA (PT)

This is OK - the CA expired 21 March, so there are no consequences of not removing it except it will now no longer issue CRLs so will eventually set off an alert. Best to clean it out.

* Extended lifetime of NorduGrid CA for 2 years (DK)

As above - NSS problems, but everything else OK. The old certificate would expire 12 May so you need to upgrade it before then.

* Added TERENA SCS CA hierarchy to the "worthless" area. Please note that the SCS CA has not been accredited yet (EU)

The purpose of this CA is to provide a pan-european CA which can issue host certificates. The main target is browser-facing hosts - the CA can then be distributed with the browser keystores and normal joe user will not see warning popups. The UK e-Science CA will continue to provide host certificates for normal host certificates, but eventually (once this CA has been approved), these certificates will co-exist.

Cheers
--jens