Thursday, 18 December 2008

IGTF release 1.26 annotated

Folks, you probably saw the announcement, the new distribution came out of IGTF Sunday.

Overall the release is not urgent. I meant to send out an evaluation earlier but ran out of time.


Annotated changes:

* Added accredited classic Indian Grid CA (IGCA) (hash da75f6a8) (IN)

Good for those folks over in Cambridge working on EUIndiaGrid. INFN
no longer has to be the catch all.

* Updated IUCC root certificate with extended life time (IL)

Israel: they recently went through a self audit and I need to review this audit, I've been remiss (I was assigned as a reviewer). They re-signed their certificates to extend the lifetime (previously till summer 09) and fix some bugs. It is still the same public key but the fingerprint will have changed. Unfortunately they introduced some more minor problems...

* Updated BEGrid (web, CRL) and UCSD-PRAGMA (web) URL metadata (BE, AP)

These are just the .info files.

* New BEGrid2008 root certificate (transitional) (BE)

Old one due to expire end of Feb 09, and it's still in there. Belgium may call the new one transitional(?) but its lifetime is 10 years.

Now here's the rub. If the old one expires in Feb, and the new one is created just now, what signed the existing valid certificates?

* Extended life time of the SEE-GRID CA (SEE)

Again using the same key as before, the lifetime of the existing certificates has been extended from expiring August 09 to August 2014. This is normally "harmless" except for the Mozilla NSS bug where a browser gets confused if it sees a different version of the "same" certificate at the remote end. They did in fact keep the same serial number, so they will get this problem. (Sometimes you can change the serial, sometimes not - another long story.)

"SEE" by the way is South Eastern Europe. Another EU thing. (, FP6 funded project)

* Included CRL for NCSA SLCS CA (US)

This was subject of a (yet another) long discussion. (In the world of grid certificates, long and heated is the norm for a discussion.)

The simple version is that SLCS is Short Lived Credential Service. They should not need to issue CRLs, since short lived credentials by definition live short lengths of time. However, much of the middleware tends to work better if it can read CRLs, so even an empty CRL keeps it happy. FNAL have done this for a while too.

There has been more discussion regarding the need to revoke even short lived credentials, but in general that is not yet feasible.

* Temporally suspended NGO-Netrust CA (SG)

They were suspended because of an issue with the CRL lifetime. They have a very short CRL (1 day) which can cause grid stuff to "break" because an "expired" CRL blocks everything. Another long technical discussion.

They also have some weird stuff in their certificate, like private key usage period. Sometimes the need to bring in commercial or gov't CAs, non-Grid CAs, makes it necessary for us to accept strange things in certs - but then those strange things can go on to break stuff on the grid because the grid is special.

* Withdrawn expired old PK-Grid CA (d2a353a5, superseded by f5ead794) (PK)

This is completely safe.

* Experimentally added Texas Advanced Computer Center TACC Root,
Classic, and MICS CAs to the experimental area (US)

This is interesting, I was a reviewer on the root (indeed I wrote the first set of guidelines for reviewing a root that doesn't issue end entity certs - still mean to finish that and push it through OGF.)

A "MICS" is Member Integrated Credential Service or something to that effect. The basic idea is it's fairly closely tied to a carefully maintained site database. Of course this sort of thing won't work in general out in the grid world when you have one CA per site database (again a long story), but TACC do need this sort of thing. Note it's experimental, so it's not accredited.

Eventually TACC should have two CA certs, one being a Classic and one a MICS, both tied under the same root.