CHANGES ------- This file lists changes made to the IGTF Trust Anchor distribution. Please refer to the README.txt file for additional information on installing the Distribution and to be informed about important information on distribuion lay-out. Changes from 1.37 to 1.38 ------------------------- (7 February 2011) * Updated meta-data info file for SRCE (HR) * Updated KEK CA root (617ff41b) with extended life time (JP) * Updated contact email address for ArmeSFo (AM) * Extended allowed namespace and new URL for SEE-GRID CA as EGI catch-all (EU) * Extended allowed namespace for NAREGI CA (JP) * Added accredited CILogin MICS CA (US) * Extended life time for NCSA CACL (MICS) CA (US) * Extended life time for NCSA MyProxy (SLCS) CA (US) * Extended life time for NorduGrid CA (DK,NO,SE,FI,SI) * Corrected namespaces file for TCS eScience Personal (EU) Changes from 1.36 to 1.37 ------------------------- (27 September 2010) * Added accredited classic TERENA eScience SSL CA and hierarchy (EU) * Discontinued NGO-Netrust CA (SG) * The OpenSSL1 compliant format no longer adds symlinks for info metadata (such references would result in multiple downloads of the same CRL data when used with FetchCRL3) * Corrected typo errors in namespaces file for AAACertificateServices (EU) * Added CILogon CAs in experimental area (US) Changes from 1.35 to 1.36 ------------------------- (25 June 2010) * Updated root certificate for PLGrid with corrected SAN extension (PL) Changes from 1.34 to 1.35 ------------------------- (11 June 2010) * Updated root certificate for SRCE with new extensions and life time (HR) * Updated root certificate for ROSA with new AKI extension and serial (RO) * Removed obsoleted CAs from experimental area (US) Changes from 1.33 to 1.34 ------------------------- (18 February 2010) * Corrected malformed EACL syntax in signing_policy for CESNET-Root-CA (CZ) Changes from 1.32 to 1.33 ------------------------- (15 February 2010) * Added accredited MICS TCS eScience Personal CA and hierarchy (EU) * Updated AustrianGrid root cert with extended life time (AT) * Updated PolishGrid CA with new contact and extended root CA life time (PL) * Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR) * Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR) * Corrected namespaces file for BEGrid2008 (BE) * Added comment line to REUNA CA signing_policy file (CL) * Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ) * Updated (re-rooted) selected UNaccredited CAs in the "worthless" area Changes from 1.31 to 1.32 ------------------------- (26 October 2009) * Updated country TLD in URLs and email for AEGIS CA (RS) * Updated contact information for CALC CA (LV) * Extended life time and updated profile or TR-Grid CA cert and CRL URL (TR) * Updated and added references to CP and CPS documents for the following authorities: HellasGrid (GR), ROSA (RO), DutchGrid (NL), IRAN-GRID (IR), and BYGCA (BY) * Withdrawn obsolete CAs SWITCH-Personal-2007, SwissSign-Root, SWITCH, SwissSign-Bronze, SwissSign-Silver, SWITCH-Server-2007 (CH) * Withdrawn expired and discontinued CA RMKI (HU) * Added persistently-named links to pre-installed accredited bundles * Added selected UNaccredited CAs to the "worthless" area Changes from 1.30 to 1.31 ------------------------- (28 July 2009) * Removed expired root certificate for BEGrid (03aa0ecb) (BE) * Removed expired and discontinued User and Server issuing CAs for DFN (fe102e03 and 34f8e29c) (DE) Changes from 1.29 to 1.30 ------------------------- (2 June 2009) * Updated contact meta-data for BYGCA, hash 709bed08 (BY) * Updated URLs for DFN Grid PKI public web pages (DE) * Added accredited NCSA GridShib SLCS CA (US) * Added accredited DFN SLCS CA (DE) * Added accredited TACC MICS CA (US) * Added accredited SWITCH (QuoVadis anchored) CAs (CH) * Added accredited FNAL-SLCS CA (US) Changes from 1.28 to 1.29 ------------------------- (4 May 2009) * Restored NGO-Netrust CA (SG) * Updated AIST Grid (CRL) URL metadata (JP) * Added accredited MD-Grid CA with hash 9ff26ea4 (MD) * Added accredited HKU Grid CA with hash 4798da47 (HK) * Updated signing policy file of APAC Grid CA (AU) * Added accredited classic BYGCA (Belarus) with hash 709bed08 (BY) * Updated namespace for the APAC CA (AU, NZ) Changes from 1.27 to 1.28 ------------------------- (10 March 2009) * Added accredited classic ULAGrid CA (VE) * Added accredited TACC Root and TACC Classic CAs (US) * Updated NERSC CRL URL download location (US) * Updated DOEGrids CRL URL download location (US) * Extended life time of NorduGrid CA (1f0e8352) (DK,SE,NO,FI,IS) * Added SigmaNet CALG CA (LV) * Updated AEGIS CA root certificate to reflect TLD name change (RS) * Added CRL for SWITCH-SLCS issuing CA and updated CA cert (304cf809) (CH) Other updates to miscellaneous CAs: * Worthless CA for EGEE "GILDA" testbed added to 'worthless' section (EU) Changes from 1.26 to 1.27 ------------------------- (30 January 2008) * Corrected signing namespace for BEGrid2008 CA (BE) * Added NERSC SLCS CA (US) * ASGCCA-2007 changed signature algorithm from MD5 to SHA1 (TW) * Added new CNRS2 hierarchy: CNRS2 -> CNRS2-Projets -> CNRS2-Grid-FR (FR) * Updated IUCC root certificate (IL) * Obsoleted EstonianGrid CA (EE) Changes from 1.25 to 1.26 ------------------------- (15 December 2008) * Added accredited classic Indian Grid CA (IGCA) (hash da75f6a8) (IN) * Updated IUCC root certificate with extended life time (IL) * Updated BEGrid (web, CRL) and UCSD-PRAGMA (web) URL metadata (BE, AP/US) * New BEGrid2008 root certificate (transitional) (BE) * Extended life time of the SEE-GRID CA (SEE) * Included CRL for NCSA SLCS CA (US) * Temporally removed NGO-Netrust CA (SG) * Withdrawn expired old PK-Grid CA (d2a353a5, superseded by f5ead794) (PK) * Experimentally added Texas Advanced Computer Center TACC Root, Classic, and MICS CAs to the experimental area (US) Changes from 1.24 to 1.25 ------------------------- (29 September 2008) * Added accredited classic NCHC CA (TW) * Updated metadata for AIST GRID CA (JP) * Updated AIST GRID CA (extended life time) based on same key pair (JP) * Updated metadata for APAC Grid CA (AU) * Updated metadata (CRL URL) for NGO-Netrust CA (SG) * updates to CA contact data in info files (EU, multiple) * updated certificates in the experimental or worthless areas (misc) Changes from 1.23 to 1.24 ------------------------- (29 July 2008) * Withdrawn NCHC (hash 71a89a47) for urgent operational reasons (TW) Changes from 1.22 to 1.23 ------------------------- (28 July 2008) * Updated metadata for CyGrid (CY), SlovakGrid (SK), Grid-FR (FR) and NCSA-SLCS and MICS (US) * Removed old UKeScienceRoot (8175c1cd) and UKeScience (adcbc9ef) that were replaced in 2006 by updated root and issuing CAs (UK) * Updated LIPCA certificate, based on same key pair (PT) * Added accredited classic MREN CA (ME) * Added NGO-Netrust (SG), PRAGMA-UCSD (PRAGMA), and NCHC (TW) Changes from 1.21 to 1.22 ------------------------- (09 June 2008) * updated extensions in PK-Grid-2007 root certificate (same keypair) (PK) * added accredited classic CA Iran-Grid (hash ce33db76) (IR) * withdrawn expired ASGCCA (hash a692434d) (TW) Changes from 1.20 to 1.21 ------------------------- (16 May 2008) * IMPORTANT update of the UKeScience Root and Issuing CAs (UK) Changes from 1.19 to 1.20 ------------------------- (17 March 2008) * Added accredited classic MARGI CA (MK) * Withdrawn expired SWITCH-Server-2006 and SWITCH-Personal-2006 CAs (CH) * Corrected namespace syntax for SWITCHaai CA (CH) * Updated namespace definitions in DFN GridGermany hierarchy (DE) * Added dependency of TERENA-SCS on GTE-CyberTrust-Global-Root. Note that neither the TERENA-SCS nor the GTE-CyberTrust-Global-Root are accredited. Changes from 1.18 to 1.19 ------------------------- (31 January 2008) * Added PK-Grid-2007 Root CA certificate (will supersede d2a353a5) (PK) * New contact email address for all PK-Grid CAs (PK) * Updated and extended lifetime of ArmeSFo root cert with same keypair (AM) * New CA certificate download locations for SwissSign CAs (CH) * New classic CA UGRID (hash 0a12b607) for the Ukraine (UA) * New classic CA UNAM-grid (hash 24c3ccde) for Mexico (MX) Changes from 1.17 to 1.18 ------------------------- (16 November 2007) * ASGCCCA-2007 added to Accredited Classic set again (TW) * Withdrawn expired CA "Spain" (hash 13eab55e) (ES) * Withdrawn expired CA "SiGNET" (hash 747183a5) (SI) * Withdrawn discontinued CA "CERN" (hash fa3af1d7) (INT) * Updated SWITCH (classic) signing namespace policies (CH) * Added UNLPGrid CA (classic, hash b7bcb7b2) (AR) * Added MaGrid CA (classic, hash 7b54708e) (MA) * New contact email address for the SlovakGrid CA (SK) * New UK e-Science CA hierarchy "-2007" added (98ef0ee5 and 367b75c3) Note: during the transition period, two hierarchies (both old and "2007") will be distributed. See accompanying newsletter for details (UK) * (selected updates to repositories containing un-accredited CAs) Changes from 1.16 to 1.17 ------------------------- (8 October 2007) * Added new RomanianGRID CA classic authority (RO) * Corrected several small typographic inconsistencies (DutchDemo, apt/README.txt) * Updates list of SWITCH eligible organisations (CH) * New contact email addresses for the AustrianGrid CA (AT), CNRS (FR) and IUCC (IL) * BEGrid CA provides an http URL for CRL download (BE) * Expired INFN (49f18420) CA withdrawn (IT) * Updated ASGCCCA-2007 certificate extensions (TW) Changes from 1.15 to 1.16 ------------------------- (8 August 2007) * A new profile for Member-Integrated Credential Services (MICS), has been defined by the IGTF. A policy nstallation bundle for authorities accredited under the MICS profile has been added to the distribution. Please refer to the IGTF web site at http://www.gridpma.org/ for a description of the MICS profile. * Corrected namespaces for for APAC CA (AU) * Added REUNA CA as a classic CA (CL) * Added NCSA-MICS and NCSA-SLCS CAs (US) * Added Ecole polytechnique federale de Lausanne to SWITCH namespace (CH) * Added new KISTI (2007) classic CA (KR) * Added Latin American and Caribbean Catch-all Grid CA (TAGPMA) * Obsoleted expired UKeScience (01621954) Root CA (GB) * Obsoleted expired HellasGrid-old (efe78092) Root CA (GR) * some new roots added to the worthless area (these are not accredited CAs!) Changes from 1.14 to 1.15 ------------------------- (9 July 2007) * Temporarily removed ASGCC CA 2007 root certificate (TW) Changes from 1.13 to 1.14 ------------------------- (1 June 2007) * Discontinued the expired GridCanada-old CA with hash 5f54f417 (CA) * APAC CA signing policy now als covers BeSTGRID in New Zealand (AU) * AEGIS (Serbia) CA added (RS) * New organisations added for SWITCH Classic CA (CH) * DutchGrid robot certificates added to signing namespace (NL) * Added CA with new keypair for ASGCC CA during roll-over "ASGCC-2007" (TW) Changes from 1.12 to 1.13 ------------------------- (11 March 2007) * Added BG.ACAD CA accredited under the classic profile (BG) * Added SWITCHaai SLCS and (classic) Root CA (CH) NOTE: the SWITCHaai SLCS CA is included in the ca_policy_igtf-slcs bundle * Extended lifetime of CyGrid CA to 2013 based on same key pair (CY) * Updated ArmeSFO CA root certificate following TACAR (AM) * Discontinued old (pre-2004) LIP CA (PT) * Extended lifetime of NorduGrid CA for 2 years (DK) * Added TERENA SCS CA hierarchy to the "worthless" area. Please note that the SCS CA has not been accredited yet (EU) Changes from 1.11 to 1.12 ------------------------- (09 February 2007) * Extended life time of root certificate for SlovakGrid (SK) * Obsoleted Russian DataGrid CA also in RPM updates (RU) * Fixed SHA-1 finger print for new SiGNET CA (SI) * Add NECTEC GOC CA (TH) * Added SWITCH Personal and Server 2007 CAs, removed 2005 CAs (CH) * Extended life time of root certificate for PolishGrid (PL) * Changed CRL URL of the NAREGI CA from https to http (JP) Changes from 1.10 to 1.11 ------------------------- (10 January 2007) * updated signing policy files for SWITCH CA (CH) * change crl_url from https to http for KEK (JP) * change crl_url from https to http for AIST (JP) * extended lifetime of ESnet (+10y) and DoEGrids (+5y) CA certs (US/DoE) * withdrawn Russian DataGrid CA (has been superseded by RDIG) (RU) Changes from 1.9 to 1.10 ------------------------ (17 October 2006) * New public web page for the BEGrid CA in metadata info file (BE) * New contact email addresses for: HellasGrid and SEE-GRID (GR, SEE), INFN CA (IT), Grid-Ireland (IE), DOEGrids CA (US/DOE), ASGCCA (TW), APAC (AU) * New CERN CA added (root and on-line CA), managed by CERN IT/IS (CERN) * New INFN CA issue 2006 to replace current one (expiring 2007) (IT) * Retired SWITCH-SSSR hierarchy pending replacement of the tree (CH) * Added new organisations to the SWITCH namespace (CH) * Removed KISTI CA (KR) Changes from 1.8 to 1.9 ----------------------- (11 September 2006) * New SiGNET CA (with 2048-bit key length) and new Subject DN (SI) * New HellasGrid CA (both Root and EE) issue 2006 added (GR) * Modified CINC Root and CINC SDC CA certificate extensions: removed SubjectAltName and IssuerAltName. (CN) * Updated extendedKeyUsage and nsCertType extension in AustrianGrid CA (AT) Changes from 1.7 to 1.8 ----------------------- (07 August 2006) * added O=Universitaet St. Gallen to the list of SWITCH Organisations (CH) * added newly accredited CINC Root CA and CINC SDC Grid CA (CN) * added new root certificate for the NAREGI CA (JP) Changes from 1.6 to 1.7 ----------------------- (24 July 2006) * removed CESNET-old from accredited list and obsoleted in RPM distribution * Added new accredited SRCE (Croatia) classic CA * Added new accredited BrGrid (Brazil) classic CA * New root and online CA certificates for updated UKeScience CA Changes from 1.5 to 1.6 ----------------------- (20 June 2006) * Removed NAREGI CA with too-short root certificate key length Changes from 1.4 to 1.5 ----------------------- (19 June 2006) * new CRL download URL for the RDIG CA * extended lifetime of root trust anchor for the GermanGrid CA (GridKa CA) old expiration date: Jun 10 13:45:54 2007 GMT new expiration date: Jun 10 13:45:54 2014 GMT * extended lifetime of root trust anchor for the Grid-Ireland CA (TCD) old expiration date: Jul 27 17:10:40 2007 GMT new expiration date: Jul 27 17:10:40 2012 GMT * ASGCC CA no longer authoritative for "/C=CN/O=IHEP/OU=CC/*" * AIST CA updated with new X.509v3 extensions (same keypair) * change in list of supported organisations for SWITCH CA (Switserland) Changes from 1.2 to 1.4 ----------------------- (15 May 2006) * increased version number of the distribution by two to accomodate RPM version inconsistencies in the release system of the LCG project * Extended life time for the CA root certificate of the NorduGrid CA Changes from 1.1 to 1.2 ----------------------- (13 Apr 2006) * new contact email address for KISTI CA * consistent quote formatting for pkIRISgrid signing_policy file * updated DutchDemo CA root certificate (in the worthless area) * suspended SWITCH Silver-root based hierarchy, since CRLs are not ready * added new organisation to the SWITCH namespace * changed ArmeSFO CRL download location to new server * new pkIRISGrid root certificate (same keypair) from TACAR added * added extra double quotes to the UK eScience signing policy file Changes from 1.1 R1 to 1.1 R2 ----------------------------- (22 Feb 2006) NOTE: THERE ARE NO CHANGES TO THE CONTENT IN THIS SUB-RELEASE * Corrected typo in the obsoletion of the old ca_CNRS-DataGrid * Improved understandability of the igtf-policy-installation-bundle Changes from 1.0 to 1.1 ----------------------- (20 Feb 2006) * Corrected malformed signing_policy file for CESNET-old * New (generic) email address for the LIP and LIPCA CAs * Expired Cygrid-old and CNRS-Datagrid CAs. The IGTF-classic meta-RPM package implicitly obsoletes there two discontinued CAs * Added alternative syntax for namespace constraints in .namespaces files. See http://www.eugridpma.org/documentation/ for details * Added pkIRISGrid CA as an accredited:classic CA * Corrected SWITCH CA hierarchy, adding the SWITCH Server and Personal CAs inbetween the SWITCH CA and the end-entities * New 2006+ SWITCH Personal and Server CAs in the SwissSign Root-originating hierarchy * New SwissSign Silver-Root and hierarchy added * New authorities from the APGridPMA: APAC GRID, KEK GRID, and NAREGI CA * New GridCanada CA root, renamed the "5f54f417" CA to GridCanada-old * New root cert (with same keypair) for the worthless DutchDemo CA * Pre-installed CA tarballs added for the classic and SLCS profiles Changes from 0.32 to 1.0 ------------------------- (25 October 2005) * IGTF policy metapackages replace EUGridPMA-only ones. The legacy "ca_policy_eugridpma" RPMs now depend on their IGTF counterparts. The EUGridPMA specific files will be withdrawn in a future release. * New directory structure moves all data regarding accredited authorities to the singe "accredited/" directory (including the policy meta-RPM) * Tar-ball installation now supports multiple profiles and targets * Meta-data (".info") for each CA added, and installed in trusted directory * The "experimental" profile supercedes the "others/" area in the distribution (note: this affects the FNAL_KCA, which will shortly be added as an accredited authority under the new Short-Lived Credential Services profile) * Discontinued authorities are no longer distributed * Only accredited authority RPM packages are signed by the PMA's GPG key * APGridPMA accreditations added: KISTI and AIST * New EUGridPMA accreditations: TR-Grid and BalticGrid * CRL URL for SiGNET changed to http instead of https * Added compatibility namespace for NIIF "/C=HU/O=NIIF CA/OU=NIIF/OU=GRID/*" Changes from 0.31 to 0.32 ------------------------- (23 August 2005) * Corrected namespace for the new CESNET CA * New RDIG root certificate with a 2048 bit key length for increased compatibility with existing software suites. Changes from 0.30 to 0.31 ------------------------- (15 July 2005) * Corrected packaging problem which left RDIG out of accredited CA group * renamed the "unknown/" directory to "discontinued/" * Added explanatory text to the distribution regarding the "other/", "worthless/" and "discontinued/" directories Changes from 0.29 to 0.30 ------------------------- (12 July 2005) * Added IHEP CA for China * Added DFN GridGermany CA (Root, User and Server CAs) * Added RDIG CA (will replace the Russian DataGrid CA) * New namespace allocation for the IUCC CA: "/C=IL/O=IUCC/*" * Added updated CESNET Root cert and renamed the old one to "CESNET-old" for legacy compatibility. The new CESNET CA started operating on June 17th * FNAL root CA service has been discontinued and thus removed from the accredited list * RPMs are now signed (experimentally) with PGP keyID 3CDBBC71. This key, the "EUGridPMA Distribution Signing Key 3" can be obtained from the popular PGP key servers, where it has been signed by the current PMA Chair, David Groep. It can also be downloaded from the web distribution site: GPG-KEY-EUGridPMA-RPM-3 Changes from 0.28 to 0.29 ------------------------- (27 April 2005) * New root certificate for the NIIF/Hungarnet CA, following the TACAR update * Preliminary inclusion of the SWITCH CA certificates. Note that the ordering of the components in the end-entity DN will currently prevent the end-entity certs to be validated (this is being addressed by SwissSign) * Modified layout of the tar distribution, in preparation for support of multiple authentication profiles Changes from 0.27 to 0.28 ------------------------- (6 April 2005) * Added the root certs for the newly accredited CAs "AustrianGrid" and "NIIF/Hungarnet" * updated signing policy file of SiGNET CA to handle new emailAddress DN component name * added "BalticGrid CA" in the "worthless" section, for experimentation by AndersW * UKeScience CA changed to SHA1 digest for the root certificate * new CRL and CA URLs for both CyGrid CAs Changes from 0.26 to 0.27 ------------------------- (22 February 2005) * added additional entry to UKeScience signing policy file to accomodate openssl 0.9.7c rendering of emailAddress component in the subject DN * updated DutchGrid CA cert from web site: extended lifetime to 2021 and changed digest algorithm from MD5 to SHA1 * added a tar-ball distribution with a configure scrfipt for convenience * Removed DOESG-Root from the accredited CA list, as per request of of the CA on January 28, 2005. There are no certs left issued by this CA. * Added Grid-FR CA by CNRS, and extended the signing_policy file of the associated CNRS-Projets CA. * A new root certificate for the CyGrid CA (with a new subject name). The old CyGrid CA has been moved to "-old". Both are in the accredited list. The new CRL location has been added. Changes from 0.25 to 0.26 ------------------------- * Added KFKI-RMKI-CA for Hungary * removed Spain-old Changes from 0.24 to 0.25 ------------------------- * Added the new Spain CA with hash 13eab55e and alias: Spain * Rename the Spain CA to Spain-old (expires on 2004-11-12) Changes from 0.23 to 0.24 ------------------------- * Added the Slovenian SiGNET CA with hash 747183a and alias: SiGNET * Added the SEE-GRID CA with hash 468d15b3 and alias: SEE-GRID * Added the Estonian Grid CA, with hash 566bf40f and alias: EstonianGrid * Added the updated LIP CA (called "LIPCA") with hash 11b4a5a2, which will supercede the old one with hash 41380387. The "LIP" one will remain in the repository will the end of 2005. * Added RPM requirements that reflects CA chaining: CNRS-Projects requires CNRS CNRS-DataGrid requires CNRS-Projects DOEGrids requires ESnet Changes from 0.22 to 0.23 ------------------------- * Added the root certificate for the PK-Grid CA, with MD5 fingerprint 24:A0:A7:DD:46:1B:EB:AE:7F:33:CA:5F:FA:D7:37:F8 Changes from 0.21 to 0.22 ------------------------- * A new root certificate for "Russia" (Russian DataGrid CA) has replaced the one that was valid till July 18th, 2004. The old MD5 fingerprint was AE:3D:F5:F2:DD:CF:B0:10:99:7A:6D:74:3C:FB:4A:22, the new one, valid till July 19th, 2009 is: A4:56:E2:01:E6:DB:86:F6:FC:5B:E5:6C:9D:A5:E1:06. The new root cert was received in an S/MIME signed message by Lev Shamardin, signed with a personal cert issued by the old root. The old root cert has been withdrawn from the package entirely. * The BEGrid signing_policy is not resistant against the OpenSSL 0.9.6 to 0.9.7 namechange in the emailAddress DN component. Changes from 0.20 to 0.21 ------------------------- * Added the IUCC and BEGrid root certs