CHANGES ------- This file lists changes made to the IGTF Trust Anchor distribution. Please refer to the README.txt file for additional information on installing the Distribution and to be informed about important information on distribution lay-out. Changes from 1.122 to 1.123 --------------------------- (4 September 2023) * Add ECC private trust hierarchy for GEANT (Research and Education) TCS (EU) * Added accredited private trust eMudhra IGTF root and issuers (IN) Changes from 1.121 to 1.122 --------------------------- (7 August 2023) * Added private trust hierarchy for GEANT (Research and Education) TCS (EU) * Added accredited eMudhra joint public trust root and issuing CAs (IN) * Added private trust eMudhra IGTF root and issuers as experimental (IN, US) NOTICE: in future releases we will move to a new RSA-2048 GPG package signing key. The new public key file, GPG-KEY-EUGridPMA-RPM-4, is distributed with this and subsequent releases. You can retrieve the new public key file from https://dl.igtf.net/distribution/GPG-KEY-EUGridPMA-RPM-4 Changes from 1.120 to 1.121 --------------------------- (15 June 2023) * Added accredited (classic) InCommon RSA IGTF Server CA 3 under the Sectigo USERTrust RSA root, for which namespaces have been updated (US) Changes from 1.119 to 1.120 --------------------------- (30 May 2023) * Added transitional CDP mirror URLs for retiring DigitalTrust CAs (AE) * Removed discontinued NIIF-Root-CA-2 (HU) * Removed expiring GermanGrid (GridKA CrossGrid) CA (DE) Changes from 1.118 to 1.119 --------------------------- (13 March 2023) * Updated UKeScience Root (2007) wih consistent string encodings (UK) * Removed obsolete SHA1 subordinates DigiCertGridTrustCA-Classic and DigiCertGridCA-1-Classic from DigiCert, reflected in RPDNC namespaces * Experimental (non-accredited) new InCommon RSA IGTF Server CA 2 (ICA under Sectigo USERTrust RSA root, for which namespaces have been updated) (US) Changes from 1.117 to 1.118 --------------------------- (27 February 2023) * Updated GridCanada CA with re-issued SHA-2 based root (CA) * Updated CILogon basic, silver, and openid with re-issued SHA-2 certs (US) * Updated UKeScience Root (2007) re-issued with SHA-2, retired 2A ICA (UK) Changes from 1.116 to 1.117 --------------------------- (29 August 2022) * Add new intermediate ICA DigiCert Grid-TLS (US) * Add new intermediate ICA DigiCert Grid-Client-RSA2048-SHA256-2022-CA1 (US) * Removed discontinued NCSA-slcs-2013 following end of XSEDE (US) * Removed discontinued PSC-Myproxy-CA following end of XSEDE (US) * RPM packaging: rpm packages are now signed using a SHA-256 digest, file digests using algo 8 (SHA-256), and the yum/dnf listings are signed with SHA-256 as well. This removes support for yum-based distributions <=EL5 (for which ELS ended in November 2020), but allows installation of packages on EL9 (Rocky9, AlmaLinux9, &c) that require SHA-256. Changes from 1.115 to 1.116 --------------------------- (25 April 2022) * Updated intermediate CERN Grid CA ICA with extended validity (CERN) Changes from 1.114 to 1.115 --------------------------- (28 March 2022) * Removed obsolete CNRS2 CAs, superseded by AC-GRID-FR hierarchy (FR) * Add supplementary BCDR download location for UGRID-G2 CRL (UA) * Extended validity period of HPCI CA (JP) Changes from 1.113 to 1.114 --------------------------- (l7 January 2022) * Extended validity for SlovakGrid issuing CA (SK) Changes from 1.112 to 1.113 --------------------------- (4 October 2021) * Suspended MD-GRID CA due to network resolution issues (MD) Changes from 1.111 to 1.112 --------------------------- (16 August 2021) * Updated ANSPGrid CA with extended validity date (BR) Changes from 1.110 to 1.111 --------------------------- (24 May 2021) * Removed discontinued NERSC-SLCS CA (US) * Removed discontinued MYIFAM CA (MY) Changes from 1.109 to 1.110 --------------------------- (22 March 2021) * Removed INFN-CA-2015 that has disappeared operationally (IT) Changes from 1.108 to 1.109 --------------------------- (18 January 2021) * Removed discontinued DM private IGTF classic CAs (AE) * Removed obsolete QuoVadis-Root-CA1, under which no ICAs are left (BM) * Updated QV Grid ICA G2 intermediary following its re-issuance (BM) Changes from 1.107 to 1.108 --------------------------- (14 December 2020) * Added DigitalTrust classic IGTF specific and public trust IGTF CAs (AE) * Updated PCS MyProxy SLCS CRL URL location (US) Changes from 1.106 to 1.107 --------------------------- (4 August 2020) * retired DarkMatterSecureCA and DarkMatterAssuredCA (AE) * removed superseded PolishGrid CA (PL) * Added TCS G4 ECC trust anchors to accredited set (EU) Changes from 1.105 to 1.106 --------------------------- (4 May 2020) * Removed expiring AddTrust External CA Root (US) * Updated legacy DutchGrid (Nikhef MS) Root CA (NL) * Removed discontinued NCSA-tfca-2013 CA (US) * Added TCS G4 ECC trust anchors to experimental area (EU) Changes from 1.104 to 1.105 --------------------------- (30 March 2020) * Discontinued CERN-LCG-IOTA-CA following decommissioning by authority (CERN) * Added new G4 intermediates for the GEANT TCS service and supporting self-signed USERTrust RSA Root (EU) * Updated AddTrust External CA Root signing policy to support legacy UTN chains for GEANT TCS G4 (EU) Changes from 1.103 to 1.104 --------------------------- (29 January 2020) * Reinstated AddTrust External CA Root in parallel to Comodo RSA CA to ease transitionary period (US) Changes from 1.102 to 1.103 --------------------------- (27 January 2020) * Updated contact addresses for DigiCert (US) * Regrafted InCommon IGTF Server CA onto self-signed Comodo RSA CA (US) * Discontinued superfluous AddTrust External CA Root (US) * Discontinued AustrianGrid CA (AT) Changes from 1.101 to 1.102 --------------------------- (14 October 2019) * Added CESNET-CA-4 ICA accredited classic CA for issuer roll-over (CZ) Changes from 1.99 to 1.101 -------------------------- (24 June 2019, note: 1.100 was not issued) * added new trust anchor for PolishGrid (2019) for key roll-over (PL) * withdrawn discontinued CILogon OSG CA (US) Changes from 1.98 to 1.99 ------------------------- (27 May 2019) * withdrawn superseded HKU CA (HK) * withdrawn discontinued CyGrid CA following migration to TCS (CY) Changes from 1.97 to 1.98 ------------------------- (29 Apr 2019) * withdrawn superseded IRAN-GRID authority (IR) Changes from 1.96 to 1.97 ------------------------- (25 Mar 2019) * temporarily withdrawn EG-GRID 4a96b1ea for network availability reasons (EG) Changes from 1.95 to 1.96 ------------------------- (25 Feb 2019) * withdrawn superseded QuoVadis-Grid-ICA (1st gen) CA (BM) * added new trust anchor MD-Grid-CA-T for rollover of existing CA (MD) * discontinued expiring 2009 series MD-Grid-CA (MD) Changes from 1.94 to 1.95 ------------------------- (26 Nov 2018) * Updated namespaces and signing_policy files for CILogon Silver CA to permit DNs without "/C=US" (US) Changes from 1.93 to 1.94 ------------------------- (29 Oct 2018) * extended validity period for the ArmeSFo CA (AM) * withdrawn expiring DFN-SLCS CA (DE) Changes from 1.92 to 1.93 ------------------------- (24 Sep 2018) * Updated contact information for HellasGrid-CA (GR) * Removed superseded IGCA CA (IN) Changes from 1.91 to 1.92 ------------------------- (25 Jun 2018) * Added HKU CA 2 trust anchor during transitioning period (HK) Changes from 1.90 to 1.91 ------------------------- (14 May 2018) * Updated MREN CA with extended validity period (ME) Changes from 1.89 to 1.90 ------------------------- (26 March 2018) * Added new Grid-FR hierarchy for Renater (AC-GRID-FR series) (FR) * Added new GARUDAINDIA2 root for key roll-over IGCA (IN) * Updated contact metadata for UNAM trust anchors (MX) Changes from 1.88 to 1.89 ------------------------- (8 January 2018) * Discontinued expiring UGRID (2008) root CA (UA) Changes from 1.87 to 1.88 ------------------------- (27 November 2017) * updated UKeScience 2B ICA based on a SHA-2 family digest (UK) * added new PKIUNAMgrid (2017) trust anchor for roll-over (MX) Changes from 1.86 to 1.87 ------------------------- (30 October 2017) * added new accredited classic DarkMatter Private Root G4 and ICA (AE) * updated PK-Grid-2007 trust anchor with extended validity period (PK) * extended validity period for UNAMgrid-ca trust anchor (MX) Changes from 1.85 to 1.86 ------------------------- (9 October 2017) * updated MaGrid CA with extended validity period (MA) * removed discontinued pkIRISGrid CA (ES) * discontinued depricated yum v2 and rpm-apt package management support (only affects yum installs on RHEL/CentOS2+3, Fedora Core 1-3, and bespoke support for installing RPM packages using APT for pre-2006 RedHat systems) Changes from 1.84 to 1.85 ------------------------- (31 July 2017) * Updated URL domain information for CyGrid (CY) Changes from 1.83 to 1.84 ------------------------- (26 June 2017) * Updated ROSA root certificate with extended 20yr valitity (RO) * Updated contact details for CyGrid CA following transition to CYNET (CY) * Removed obsoleted KISTI-2007 trust anchor - replaced by KISTIv3 (KR) * Removed expiring LACGrid trust anchor a9082267 (BR) * Added UK Pathfinder AAAI CA 1 to unaccredited (misc) area (UK) Changes from 1.82 to 1.83 ------------------------- (29 May 2017) * Added new trust anchor for accredited KISTI CA v3 (KR) * Removed obsolete GEANT TCS G1 and G2 (old Comodo-backed) trust anchors: UTN-USERFirst-Hardware TERENA-eScience-SSL-CA AAACertificateServices UTNAAAClient TERENAeSciencePersonalCA UTN-USERTrust-RSA-CA TERENA-eScience-SSL-CA-2 TERENAeSciencePersonalCA2 (EU) Changes from 1.81 to 1.82 ------------------------- (27 March 2017) * Added new G2 UGrid trust anchor (UA) * Extended validity for AEGIS CA (RS) * Withdrawn discontinued FNAL KCA (US) * Extended valitity for REUNA CA (CL) Changes from 1.80 to 1.81 ------------------------- (28 February 2017) * Added accredited DarkMatter classic QV-intermediate ICAs (AE) including QuoVadis Root CA 2 G3 and Root CA 3 G3 higher level CAs (BM) * Updated contact information for EUN EG-GRID CA (EG) * Withdrawn classic UKeScienceCA-2A in advance of repurposing (UK) Changes from 1.79 to 1.80 ------------------------- (30 January 2017) * Discontinued BEGrid2008 (BELNET) classic authority (BE) Changes from 1.78 to 1.79 ------------------------- (28 November 2016) * Updated UNLPGrid CA with extended validity period (AR) * Fix regular expressions in CILogon and NCSA CA namespaces files (US) * Included rollover CA IRAN-GRID-CGC-G2 (IR) * Corrected an incorrect line in selected info files for DigiCert (US) * Discontinued expiring NECTEC CA (TH) Changes from 1.77 to 1.78 ------------------------- (5 October 2016) * Removed superseded INFN-CA-2006 CA (IT) * Updated Debian packaging to support APT security improvements Changes from 1.76 to 1.77 ------------------------- (26 September 2016) * Updated namespaces and signing_policy files for CILogon Basic CA to permit DNs without "/C=US" (US) * Added G2 series (sha-2) QuoVadis Root 2 and Grid ICA G2 (BM) * Removed discontinued UniandesCA (CO) Changes from 1.75 to 1.76 ------------------------- (25 July 2016) * Added accredited RCauth.eu IOTA CA and associated root (EU) * Added DutchGrid Root G1 (NL) Changes from 1.74 to 1.75 ------------------------- (27 June 2016) * Discontinued expired UFF BrGrid CA (BR) * Discontinued expired HellasGrid-2006 and associated Root (GR) Changes from 1.73 to 1.74 ------------------------- (16 May 2016) * Removed superseded NorduGrid (2006) CA (DK) * Added HellasGrid 2016 CA (GR) Changes from 1.72 to 1.73 ------------------------- (28 March 2016) * Updated key pair for SDG CA G2 (CN) * Revised URL to point to http endpoint for CERN IOTA ICA CRL (CERN) * Added date field to Debain Release file to work around APT bug 809329 * Added an InRelease file for changing Debian packaging * Added experimental DCA Root G1 and RCauth.eu Pilot ICA G1 (NL, EU) Changes from 1.71 to 1.72 ------------------------- (29 February 2016) * Added roll-over subordinate for the SDG CA G2 (CN) * Added CERN LCG IOTA CA (CERN) * Updated PSC MyProxy CA with extended validity (US) Changes from 1.70 to 1.71 ------------------------- (25 January 2016) * Added accredited classic KENET ICA and associated Root (KE) * Removed expiring SDG CA (CN) * Updated CyGrid Root CA with extended validity period (CY) * Updated BG-ACAD-CA with extended validity period (BG) Changes from 1.69 to 1.70 ------------------------- (30 November 2015) * Updated CRL URL hosted by KIT for ArmeSFO (AM) * Added NorduGrid 2015 trust anchor (DK,NO,SE,FI,IS) * Discontinued superseded DigiCertGridCA-1G2-Classic (US) Changes from 1.68 to 1.69 ------------------------- (26 October 2015) * Added new INFN "2015" CA as roll-over of the 2006 instance (IT) * Added new CILogon OSG CA (US) * Discontinued BalticGrid CA (EE) Changes from 1.67 to 1.68 ------------------------- (5 October 2015) * Discontinued CALG CA (LV) * Added experimental KENET CAs (KE) Changes from 1.65 to 1.67 ------------------------- (31 August 2015 - release jump, skipping 1.66) * Discontinued NCSA-mics CA (US) * Withdrawn G2 root for IPM CA (IR) Changes from 1.64 to 1.65 ------------------------- (29 June 2015) * Discontinued NAREGI CA (JP) * Added addition G2 root for IPM CA (IR) * Added new subjectdn attribute to the trust anchor and profile meta-data files to aid monitoring and authentication-profile based access control mechanism use cases. See http://wiki.eugridpma.org/Main/IGTFInfoFile (ALL) Changes from 1.63 to 1.64 ------------------------- (1 June 2015) * Extended validity period of the BalticGrid CA (EE,LT,LV) * Removed obsolete NICS-MyProxy CA (US) * Added revised DigiCertGridCA-1G2-Classic-2015 Classic CA (US) * Updated CRL URL information for TCS G3 by preferring secondary URI (EU) * Updated RDIG CA with extended validity self-signed root (RU) * Removed obsolete NCSA-slcs CA, replaced by NCSA-slcs-2013 (US) Changes from 1.62 to 1.63 ------------------------- (30 March 2015) * Removed obsoleted and replaced NIIF CA (HU) * Extended validity period of the KEK CA (JP) * Removed obsoleted d254cc30/CERN-Root 1d879c6c/CERN-TCA anchors (CERN) * Updated RPDNC namespaces to permit DigiCert Grid Trust G2 ICAs for DigiCert Assured ID Root CA (US) * Updated RPDNC namespaces and signing_policy files for G2 series DigiCert Grid CAs pending ICA reissuance for reverse RDN issue (US) * Nomalised cond_subject syntax for multiple signing policy files cilogon-basic cilogon-silver InCommon-IGTF-Server-CA NCSA-slcs-2013 NCSA-tfca-2013 Comodo-RSA-CA Changes from 1.61 to 1.62 ------------------------- (23 February 2015) * Added Root CA 2 for NIIF (HU) * Extended validity period for pkIRISgrid CA (ES) * Updated DigiCert root CA meta-data in preparation for TCS (US) * Included GEANT TCS CA G3 trust anchors (EU) * Temporarily suspended HIAST/74c6eaeb for operational reasons (SY) * Discontinued ULAGrid-CA-2008 CA (VE) * Discontinued NCHC CA (TW) Changes from 1.60 to 1.61 ------------------------- (1 December 2014) * Added new IPv6-capable crl_url entries for NCSA and CILogon CAs (US) * Added accredited TSU (Georgia) CA (GE) * Extended life time and updated digest function of AustrianGrid CA (AT) Changes from 1.59 to 1.60 ------------------------- (27 October 2014) * Added new SHA-2 hierarchies for TERENA Certificate Service (ed. 2009) (EU) Changes from 1.58 to 1.59 ------------------------- (29 September 2014) * Added accredited mics HPCI CA (JP) * Updated crl_url for NCSA-slcs-2013 and NCSA-tfca-2013 (US) * Renamed QuoVadis classic grid issuing CA to QuoVadis-Grid-ICA (CH, BM) Changes from 1.57 to 1.58 ------------------------- (30 June 2014) * Added accredited classic InCommon Server IGTF SSL CA and intermediate Comodo RSA CA (SHA-2) (US) * Extended permitted namespaces for AddTrust-External-CA-Root (EU, US) * Updated CILogon Basic CA from experimental to accredited:iota (US) * Updated certificate URL for IHEP-CA-2013 39d30eba (CN) * Discontinued expiring SEE-GRID '2004' CA - since replaced by new SEEGRID-CA-2013 (GR) * Discontinued retired PRAGMA-UCSD CA (US) Changes from 1.56 to 1.57 ------------------------- (2 June 2014) * Discontinued obsoleted IHEP (2009) CA ba2f39ca (CN) * Removed discontinued NCSA Two Factor CA following migration to NCSA Two Factor CA 2013 (US) Changes from 1.55 to 1.56 ------------------------- (31 March 2014) * Removed discontinued SWITCHslcs2011 and associated Root (CH) * Removed discontinued APAC CA (AU) * Removed discontinued DoEGrids CA and ESnet root (US) * Add reference to CA website for AustrianGrid CA (AT) * Add new subordinates for DigiCert: 1cdf1cd9/DigiCertGridCA-1G2-Classic and 5d9ea26d/DigiCertGridTrustCAG2-Classic (US) * Add meta-package for the IOTA-accredited CAs. Please note that there are no IOTA accredited CAs as this point in time. For specifications see https://www.eugridpma.org/guidelines/IOTA/ * Debian packaging dependencies in meta-packages now correctly use all- lower-case package names throughout Changes from 1.54 to 1.55 ------------------------- (25 November 2013) THIS RELEASE IS THE LAST ONE ALSO TO BE DISTRIBUTED IN SINGLE HASH FORMAT * New root certificate with extended life time for NorduGrid CA 1f0e8352 (DK) * Updated contact metadata for all RENATER Grid-FR related CAs (FR) * Updated CRL URL and metadata for IHEP 2013 CA 39d30eba (CN) * New root certificates for NCSA CA re-key: MyProxy CA 2013 c36f6349/7aa2b7bd and Two Factor CA 2013 ca157cee/48c8f10a (US) * New root certificate for EGI catch-all CA "SEEGRID-CA-2013" 772dbd1c (GR) * Removed AIST Grid CA (JP) * Discontinued IUCC CA (6fee79b0) following migration to TCS (IL) * Suspended JUnet-CA (b3222f9e) (JO) * Removed expired unaccredited CAs (misc) * Added unaccredited worthless NL e-Infra Zero tutorial CA 338a3561 (NL) Changes from 1.53 to 1.54 ------------------------- (24 June 2013) * Extended life time of Grid-KA CA (dd4b34ea) (DE) * Added new CERN hierarchy for CERN IT/IS CA (SHA2 migration) (CH) * Updated metadata for GridGermany DFN-CERT CAs (DE) * Updated contact metadata for KEK (JP) * Updated contact metadata for HKU (HK) * Updated contact metadata for AIST (JP) Changes from 1.52 to 1.53 ------------------------- (27 May 2013) * Added new root cert for IHEP CA (2013) (CN) * Removed retired NCSA GridShib CA (e8ac4b61) (US) * Removed backup crl_url locations for CILogon CAs due to future crl.doegrids.org shutdown. (US) * Removed retired TACC CAs (2ac09305, 684261aa, e5cc84c2) (US) * Updated NERSC CA (b93d6240) to extend validity and change to self-signed rather than subordinate to ESnet (US) Changes from 1.51 to 1.52 ------------------------- (26 January 2013) * Extended validity of ArmeSFo Root CA (d0c2a341) (AM) * Obsoleted UKeScienceCA-2007 and updated Root CRL URL and metadata (UK) * removed expiring and unaccredited 'convenience' CAs from the distribution (Thawte, ZA, TERENA SCS, BE) Changes from 1.50 to 1.51 ------------------------- (26 November 2012) * Due to the unfortunate closure of Grid-Ireland, the Grid-Ireland CA (1e43b9cc) has been discontinued (IE) * extended expiry date for CyGrid CA (afe55e66) (CY) Changes from 1.49 to 1.50 ------------------------- (24 September 2012) * Added accredited classic EG-GRID CA (EG) * Extended life time of UKeScience (2007) issuing CA (UK) Changes from 1.48 to 1.49 ------------------------- (30 July 2012) * Added ANSPGrid (126f0acf) classic CA (BR) * Extended root cert validity for CA ce33db76 to 20yr (IR) Changes from 1.47 to 1.48 ------------------------- (29 May 2012) * Extended life time of DFN GridGermany Root (1149214e) and CDPs (DE) Changes from 1.46 to 1.47 ------------------------- (30 April 2012) * Updates CA URL metadata and CRL for pkIRISGrid CA (ES) * Added accredited classic MYIFAM CA (MY) Changes from 1.45 to 1.46 ------------------------- (29 March 2012) * Removed discontinued CESNET (9b59ecad) CA (CZ) Changes from 1.44 to 1.45 ------------------------- (26 March 2012) * Added accredited NCSA 2-factor SLCS CA (US) Changes from 1.43 to 1.44 ------------------------- (30 January 2012) * Added accredited classic DigiCert CA chains (US) * Extended life time of UGRID root cert (UA) Changes from 1.42 to 1.43 ------------------------- (28 November 2011) * Added new SWITCHslcs 2011 CA, replacing SWITCHslcs 2009 (CH) * Updated contact information for SWITCH CAs (CH) * Added new accredited classic JUnet CA (JO) * Added additional CRL URL for DOEGrids CA in certificate and meta data (US) * Added additional CRL URL for ESnet Root CA in meta data (US) * Updated institute information for KIT in signing_policy file (DE) * Updated enrolment URLs for Grid-FR CA (FR) Changes from 1.41 to 1.42 ------------------------- (30 September 2011) * Corrected signing_policy file for UKeScience CA 2B (UK) Changes from 1.40 to 1.41 ------------------------- (26 September 2011) * Added accredited PSC MyProxy SLCS CA (US) * Updated CRL URL for LIPCA (PT) * Extended life time of SlovakGrid CA root (SK) * Added accredited DZ-eScience CA (DZ) * Added accredited NICS SLCS MyProxy CA (US) * Added new UK eScience issuing CAs 2A and 2B to allowed namespaces and removed superfluous signing policy entries (UK) * Normalised the certificate files (.0) for selected CAs in the 'old' format distribution. This does not affect the 'new' OpenSSL v1+ compatible release. Affected CAs are CESNET, NIKHEF, NIIF, DFN-GridGermany-Root, PSC-Myproxy-CA, and NERSC-SLCS. Old and new format files are now identical. * The "worthless" area, containing some files that are distributed merely for convenience for selected specific purposes, has been re-named to "unaccredited". Files contained in this directory must be treated with utmost care, and their inclusion in the distribution does not constitute any form of endorsement by the IGTF of these files or their content. * Added unaccredited InCommon Server CA to convenience directory (US) Changes from 1.39 to 1.40 ------------------------- (28 June 2011) * Corrected fingerprint meta-data for UniAndes CA (CO) Changes from 1.38 to 1.39 ------------------------- (27 June 2011) * Change of contact address for NAREGI CA (JP) * Change of contact address for GermanGrid CA (DE) * Added accredited classic HIAST CA (SY) * Added accredited classic Uni Andes CA (CO) * Extended life time of root certificate for SiGNET-CA (SI) * Extended life time of root certificate for Grid-Ireland (IE) * New issuing certificates (2A, 2B) for UKeScience (GB) * Updated extensions for DOEGrids-CA-1 issuing CA (US) Changes to unaccredited information: * Added experimental DZeScience CA (DZ) * Extended life time for unaccredited Benelux and NE tutorial CA cert and re-rooted namespace to new domain name (NL,BE) * Added worthless replacement gilda 2011 CA (IT) * Removed expired DutchDemo CA (NL) Changes from 1.37 to 1.38 ------------------------- (7 February 2011) * Updated meta-data info file for SRCE (HR) * Updated KEK CA root (617ff41b) with extended life time (JP) * Updated contact email address for ArmeSFo (AM) * Extended allowed namespace and new URL for SEE-GRID CA as EGI catch-all (EU) * Extended allowed namespace for NAREGI CA (JP) * Added accredited CILogin MICS CA (US) * Extended life time for NCSA CACL (MICS) CA (US) * Extended life time for NCSA MyProxy (SLCS) CA (US) * Extended life time for NorduGrid CA (DK,NO,SE,FI,SI) * Corrected namespaces file for TCS eScience Personal (EU) Changes from 1.36 to 1.37 ------------------------- (27 September 2010) * Added accredited classic TERENA eScience SSL CA and hierarchy (EU) * Discontinued NGO-Netrust CA (SG) * The OpenSSL1 compliant format no longer adds symlinks for info metadata (such references would result in multiple downloads of the same CRL data when used with FetchCRL3) * Corrected typo errors in namespaces file for AAACertificateServices (EU) * Added CILogon CAs in experimental area (US) Changes from 1.35 to 1.36 ------------------------- (25 June 2010) * Updated root certificate for PLGrid with corrected SAN extension (PL) Changes from 1.34 to 1.35 ------------------------- (11 June 2010) * Updated root certificate for SRCE with new extensions and life time (HR) * Updated root certificate for ROSA with new AKI extension and serial (RO) * Removed obsoleted CAs from experimental area (US) Changes from 1.33 to 1.34 ------------------------- (18 February 2010) * Corrected malformed EACL syntax in signing_policy for CESNET-Root-CA (CZ) Changes from 1.32 to 1.33 ------------------------- (15 February 2010) * Added accredited MICS TCS eScience Personal CA and hierarchy (EU) * Updated AustrianGrid root cert with extended life time (AT) * Updated PolishGrid CA with new contact and extended root CA life time (PL) * Removed expired CNRS-Grid-FR CA (has been superseded by CNRS2-Grid-FR) (FR) * Removed obsolete CNRS, CNRS-Projets CA (superceded by CNRS2 hierarchy) (FR) * Corrected namespaces file for BEGrid2008 (BE) * Added comment line to REUNA CA signing_policy file (CL) * Added new classic CESNET hierarchy "CESNET-CA-Root" and "CESNET-CA-3" (CZ) * Updated (re-rooted) selected UNaccredited CAs in the "worthless" area Changes from 1.31 to 1.32 ------------------------- (26 October 2009) * Updated country TLD in URLs and email for AEGIS CA (RS) * Updated contact information for CALC CA (LV) * Extended life time and updated profile or TR-Grid CA cert and CRL URL (TR) * Updated and added references to CP and CPS documents for the following authorities: HellasGrid (GR), ROSA (RO), DutchGrid (NL), IRAN-GRID (IR), and BYGCA (BY) * Withdrawn obsolete CAs SWITCH-Personal-2007, SwissSign-Root, SWITCH, SwissSign-Bronze, SwissSign-Silver, SWITCH-Server-2007 (CH) * Withdrawn expired and discontinued CA RMKI (HU) * Added persistently-named links to pre-installed accredited bundles * Added selected UNaccredited CAs to the "worthless" area Changes from 1.30 to 1.31 ------------------------- (28 July 2009) * Removed expired root certificate for BEGrid (03aa0ecb) (BE) * Removed expired and discontinued User and Server issuing CAs for DFN (fe102e03 and 34f8e29c) (DE) Changes from 1.29 to 1.30 ------------------------- (2 June 2009) * Updated contact meta-data for BYGCA, hash 709bed08 (BY) * Updated URLs for DFN Grid PKI public web pages (DE) * Added accredited NCSA GridShib SLCS CA (US) * Added accredited DFN SLCS CA (DE) * Added accredited TACC MICS CA (US) * Added accredited SWITCH (QuoVadis anchored) CAs (CH) * Added accredited FNAL-SLCS CA (US) Changes from 1.28 to 1.29 ------------------------- (4 May 2009) * Restored NGO-Netrust CA (SG) * Updated AIST Grid (CRL) URL metadata (JP) * Added accredited MD-Grid CA with hash 9ff26ea4 (MD) * Added accredited HKU Grid CA with hash 4798da47 (HK) * Updated signing policy file of APAC Grid CA (AU) * Added accredited classic BYGCA (Belarus) with hash 709bed08 (BY) * Updated namespace for the APAC CA (AU, NZ) Changes from 1.27 to 1.28 ------------------------- (10 March 2009) * Added accredited classic ULAGrid CA (VE) * Added accredited TACC Root and TACC Classic CAs (US) * Updated NERSC CRL URL download location (US) * Updated DOEGrids CRL URL download location (US) * Extended life time of NorduGrid CA (1f0e8352) (DK,SE,NO,FI,IS) * Added SigmaNet CALG CA (LV) * Updated AEGIS CA root certificate to reflect TLD name change (RS) * Added CRL for SWITCH-SLCS issuing CA and updated CA cert (304cf809) (CH) Other updates to miscellaneous CAs: * Worthless CA for EGEE "GILDA" testbed added to 'worthless' section (EU) Changes from 1.26 to 1.27 ------------------------- (30 January 2008) * Corrected signing namespace for BEGrid2008 CA (BE) * Added NERSC SLCS CA (US) * ASGCCA-2007 changed signature algorithm from MD5 to SHA1 (TW) * Added new CNRS2 hierarchy: CNRS2 -> CNRS2-Projets -> CNRS2-Grid-FR (FR) * Updated IUCC root certificate (IL) * Obsoleted EstonianGrid CA (EE) Changes from 1.25 to 1.26 ------------------------- (15 December 2008) * Added accredited classic Indian Grid CA (IGCA) (hash da75f6a8) (IN) * Updated IUCC root certificate with extended life time (IL) * Updated BEGrid (web, CRL) and UCSD-PRAGMA (web) URL metadata (BE, AP/US) * New BEGrid2008 root certificate (transitional) (BE) * Extended life time of the SEE-GRID CA (SEE) * Included CRL for NCSA SLCS CA (US) * Temporally removed NGO-Netrust CA (SG) * Withdrawn expired old PK-Grid CA (d2a353a5, superseded by f5ead794) (PK) * Experimentally added Texas Advanced Computer Center TACC Root, Classic, and MICS CAs to the experimental area (US) Changes from 1.24 to 1.25 ------------------------- (29 September 2008) * Added accredited classic NCHC CA (TW) * Updated metadata for AIST GRID CA (JP) * Updated AIST GRID CA (extended life time) based on same key pair (JP) * Updated metadata for APAC Grid CA (AU) * Updated metadata (CRL URL) for NGO-Netrust CA (SG) * updates to CA contact data in info files (EU, multiple) * updated certificates in the experimental or worthless areas (misc) Changes from 1.23 to 1.24 ------------------------- (29 July 2008) * Withdrawn NCHC (hash 71a89a47) for urgent operational reasons (TW) Changes from 1.22 to 1.23 ------------------------- (28 July 2008) * Updated metadata for CyGrid (CY), SlovakGrid (SK), Grid-FR (FR) and NCSA-SLCS and MICS (US) * Removed old UKeScienceRoot (8175c1cd) and UKeScience (adcbc9ef) that were replaced in 2006 by updated root and issuing CAs (UK) * Updated LIPCA certificate, based on same key pair (PT) * Added accredited classic MREN CA (ME) * Added NGO-Netrust (SG), PRAGMA-UCSD (PRAGMA), and NCHC (TW) Changes from 1.21 to 1.22 ------------------------- (09 June 2008) * updated extensions in PK-Grid-2007 root certificate (same keypair) (PK) * added accredited classic CA Iran-Grid (hash ce33db76) (IR) * withdrawn expired ASGCCA (hash a692434d) (TW) Changes from 1.20 to 1.21 ------------------------- (16 May 2008) * IMPORTANT update of the UKeScience Root and Issuing CAs (UK) Changes from 1.19 to 1.20 ------------------------- (17 March 2008) * Added accredited classic MARGI CA (MK) * Withdrawn expired SWITCH-Server-2006 and SWITCH-Personal-2006 CAs (CH) * Corrected namespace syntax for SWITCHaai CA (CH) * Updated namespace definitions in DFN GridGermany hierarchy (DE) * Added dependency of TERENA-SCS on GTE-CyberTrust-Global-Root. Note that neither the TERENA-SCS nor the GTE-CyberTrust-Global-Root are accredited. Changes from 1.18 to 1.19 ------------------------- (31 January 2008) * Added PK-Grid-2007 Root CA certificate (will supersede d2a353a5) (PK) * New contact email address for all PK-Grid CAs (PK) * Updated and extended lifetime of ArmeSFo root cert with same keypair (AM) * New CA certificate download locations for SwissSign CAs (CH) * New classic CA UGRID (hash 0a12b607) for the Ukraine (UA) * New classic CA UNAM-grid (hash 24c3ccde) for Mexico (MX) Changes from 1.17 to 1.18 ------------------------- (16 November 2007) * ASGCCCA-2007 added to Accredited Classic set again (TW) * Withdrawn expired CA "Spain" (hash 13eab55e) (ES) * Withdrawn expired CA "SiGNET" (hash 747183a5) (SI) * Withdrawn discontinued CA "CERN" (hash fa3af1d7) (INT) * Updated SWITCH (classic) signing namespace policies (CH) * Added UNLPGrid CA (classic, hash b7bcb7b2) (AR) * Added MaGrid CA (classic, hash 7b54708e) (MA) * New contact email address for the SlovakGrid CA (SK) * New UK e-Science CA hierarchy "-2007" added (98ef0ee5 and 367b75c3) Note: during the transition period, two hierarchies (both old and "2007") will be distributed. See accompanying newsletter for details (UK) * (selected updates to repositories containing un-accredited CAs) Changes from 1.16 to 1.17 ------------------------- (8 October 2007) * Added new RomanianGRID CA classic authority (RO) * Corrected several small typographic inconsistencies (DutchDemo, apt/README.txt) * Updates list of SWITCH eligible organisations (CH) * New contact email addresses for the AustrianGrid CA (AT), CNRS (FR) and IUCC (IL) * BEGrid CA provides an http URL for CRL download (BE) * Expired INFN (49f18420) CA withdrawn (IT) * Updated ASGCCCA-2007 certificate extensions (TW) Changes from 1.15 to 1.16 ------------------------- (8 August 2007) * A new profile for Member-Integrated Credential Services (MICS), has been defined by the IGTF. A policy nstallation bundle for authorities accredited under the MICS profile has been added to the distribution. Please refer to the IGTF web site at http://www.gridpma.org/ for a description of the MICS profile. * Corrected namespaces for for APAC CA (AU) * Added REUNA CA as a classic CA (CL) * Added NCSA-MICS and NCSA-SLCS CAs (US) * Added Ecole polytechnique federale de Lausanne to SWITCH namespace (CH) * Added new KISTI (2007) classic CA (KR) * Added Latin American and Caribbean Catch-all Grid CA (TAGPMA) * Obsoleted expired UKeScience (01621954) Root CA (GB) * Obsoleted expired HellasGrid-old (efe78092) Root CA (GR) * some new roots added to the worthless area (these are not accredited CAs!) Changes from 1.14 to 1.15 ------------------------- (9 July 2007) * Temporarily removed ASGCC CA 2007 root certificate (TW) Changes from 1.13 to 1.14 ------------------------- (1 June 2007) * Discontinued the expired GridCanada-old CA with hash 5f54f417 (CA) * APAC CA signing policy now als covers BeSTGRID in New Zealand (AU) * AEGIS (Serbia) CA added (RS) * New organisations added for SWITCH Classic CA (CH) * DutchGrid robot certificates added to signing namespace (NL) * Added CA with new keypair for ASGCC CA during roll-over "ASGCC-2007" (TW) Changes from 1.12 to 1.13 ------------------------- (11 March 2007) * Added BG.ACAD CA accredited under the classic profile (BG) * Added SWITCHaai SLCS and (classic) Root CA (CH) NOTE: the SWITCHaai SLCS CA is included in the ca_policy_igtf-slcs bundle * Extended lifetime of CyGrid CA to 2013 based on same key pair (CY) * Updated ArmeSFO CA root certificate following TACAR (AM) * Discontinued old (pre-2004) LIP CA (PT) * Extended lifetime of NorduGrid CA for 2 years (DK) * Added TERENA SCS CA hierarchy to the "worthless" area. Please note that the SCS CA has not been accredited yet (EU) Changes from 1.11 to 1.12 ------------------------- (09 February 2007) * Extended life time of root certificate for SlovakGrid (SK) * Obsoleted Russian DataGrid CA also in RPM updates (RU) * Fixed SHA-1 finger print for new SiGNET CA (SI) * Add NECTEC GOC CA (TH) * Added SWITCH Personal and Server 2007 CAs, removed 2005 CAs (CH) * Extended life time of root certificate for PolishGrid (PL) * Changed CRL URL of the NAREGI CA from https to http (JP) Changes from 1.10 to 1.11 ------------------------- (10 January 2007) * updated signing policy files for SWITCH CA (CH) * change crl_url from https to http for KEK (JP) * change crl_url from https to http for AIST (JP) * extended lifetime of ESnet (+10y) and DoEGrids (+5y) CA certs (US/DoE) * withdrawn Russian DataGrid CA (has been superseded by RDIG) (RU) Changes from 1.9 to 1.10 ------------------------ (17 October 2006) * New public web page for the BEGrid CA in metadata info file (BE) * New contact email addresses for: HellasGrid and SEE-GRID (GR, SEE), INFN CA (IT), Grid-Ireland (IE), DOEGrids CA (US/DOE), ASGCCA (TW), APAC (AU) * New CERN CA added (root and on-line CA), managed by CERN IT/IS (CERN) * New INFN CA issue 2006 to replace current one (expiring 2007) (IT) * Retired SWITCH-SSSR hierarchy pending replacement of the tree (CH) * Added new organisations to the SWITCH namespace (CH) * Removed KISTI CA (KR) Changes from 1.8 to 1.9 ----------------------- (11 September 2006) * New SiGNET CA (with 2048-bit key length) and new Subject DN (SI) * New HellasGrid CA (both Root and EE) issue 2006 added (GR) * Modified CINC Root and CINC SDC CA certificate extensions: removed SubjectAltName and IssuerAltName. (CN) * Updated extendedKeyUsage and nsCertType extension in AustrianGrid CA (AT) Changes from 1.7 to 1.8 ----------------------- (07 August 2006) * added O=Universitaet St. Gallen to the list of SWITCH Organisations (CH) * added newly accredited CINC Root CA and CINC SDC Grid CA (CN) * added new root certificate for the NAREGI CA (JP) Changes from 1.6 to 1.7 ----------------------- (24 July 2006) * removed CESNET-old from accredited list and obsoleted in RPM distribution * Added new accredited SRCE (Croatia) classic CA * Added new accredited BrGrid (Brazil) classic CA * New root and online CA certificates for updated UKeScience CA Changes from 1.5 to 1.6 ----------------------- (20 June 2006) * Removed NAREGI CA with too-short root certificate key length Changes from 1.4 to 1.5 ----------------------- (19 June 2006) * new CRL download URL for the RDIG CA * extended lifetime of root trust anchor for the GermanGrid CA (GridKa CA) old expiration date: Jun 10 13:45:54 2007 GMT new expiration date: Jun 10 13:45:54 2014 GMT * extended lifetime of root trust anchor for the Grid-Ireland CA (TCD) old expiration date: Jul 27 17:10:40 2007 GMT new expiration date: Jul 27 17:10:40 2012 GMT * ASGCC CA no longer authoritative for "/C=CN/O=IHEP/OU=CC/*" * AIST CA updated with new X.509v3 extensions (same keypair) * change in list of supported organisations for SWITCH CA (Switserland) Changes from 1.2 to 1.4 ----------------------- (15 May 2006) * increased version number of the distribution by two to accomodate RPM version inconsistencies in the release system of the LCG project * Extended life time for the CA root certificate of the NorduGrid CA Changes from 1.1 to 1.2 ----------------------- (13 Apr 2006) * new contact email address for KISTI CA * consistent quote formatting for pkIRISgrid signing_policy file * updated DutchDemo CA root certificate (in the worthless area) * suspended SWITCH Silver-root based hierarchy, since CRLs are not ready * added new organisation to the SWITCH namespace * changed ArmeSFO CRL download location to new server * new pkIRISGrid root certificate (same keypair) from TACAR added * added extra double quotes to the UK eScience signing policy file Changes from 1.1 R1 to 1.1 R2 ----------------------------- (22 Feb 2006) NOTE: THERE ARE NO CHANGES TO THE CONTENT IN THIS SUB-RELEASE * Corrected typo in the obsoletion of the old ca_CNRS-DataGrid * Improved understandability of the igtf-policy-installation-bundle Changes from 1.0 to 1.1 ----------------------- (20 Feb 2006) * Corrected malformed signing_policy file for CESNET-old * New (generic) email address for the LIP and LIPCA CAs * Expired Cygrid-old and CNRS-Datagrid CAs. The IGTF-classic meta-RPM package implicitly obsoletes there two discontinued CAs * Added alternative syntax for namespace constraints in .namespaces files. See http://www.eugridpma.org/documentation/ for details * Added pkIRISGrid CA as an accredited:classic CA * Corrected SWITCH CA hierarchy, adding the SWITCH Server and Personal CAs inbetween the SWITCH CA and the end-entities * New 2006+ SWITCH Personal and Server CAs in the SwissSign Root-originating hierarchy * New SwissSign Silver-Root and hierarchy added * New authorities from the APGridPMA: APAC GRID, KEK GRID, and NAREGI CA * New GridCanada CA root, renamed the "5f54f417" CA to GridCanada-old * New root cert (with same keypair) for the worthless DutchDemo CA * Pre-installed CA tarballs added for the classic and SLCS profiles Changes from 0.32 to 1.0 ------------------------- (25 October 2005) * IGTF policy metapackages replace EUGridPMA-only ones. The legacy "ca_policy_eugridpma" RPMs now depend on their IGTF counterparts. The EUGridPMA specific files will be withdrawn in a future release. * New directory structure moves all data regarding accredited authorities to the singe "accredited/" directory (including the policy meta-RPM) * Tar-ball installation now supports multiple profiles and targets * Meta-data (".info") for each CA added, and installed in trusted directory * The "experimental" profile supercedes the "others/" area in the distribution (note: this affects the FNAL_KCA, which will shortly be added as an accredited authority under the new Short-Lived Credential Services profile) * Discontinued authorities are no longer distributed * Only accredited authority RPM packages are signed by the PMA's GPG key * APGridPMA accreditations added: KISTI and AIST * New EUGridPMA accreditations: TR-Grid and BalticGrid * CRL URL for SiGNET changed to http instead of https * Added compatibility namespace for NIIF "/C=HU/O=NIIF CA/OU=NIIF/OU=GRID/*" Changes from 0.31 to 0.32 ------------------------- (23 August 2005) * Corrected namespace for the new CESNET CA * New RDIG root certificate with a 2048 bit key length for increased compatibility with existing software suites. Changes from 0.30 to 0.31 ------------------------- (15 July 2005) * Corrected packaging problem which left RDIG out of accredited CA group * renamed the "unknown/" directory to "discontinued/" * Added explanatory text to the distribution regarding the "other/", "worthless/" and "discontinued/" directories Changes from 0.29 to 0.30 ------------------------- (12 July 2005) * Added IHEP CA for China * Added DFN GridGermany CA (Root, User and Server CAs) * Added RDIG CA (will replace the Russian DataGrid CA) * New namespace allocation for the IUCC CA: "/C=IL/O=IUCC/*" * Added updated CESNET Root cert and renamed the old one to "CESNET-old" for legacy compatibility. The new CESNET CA started operating on June 17th * FNAL root CA service has been discontinued and thus removed from the accredited list * RPMs are now signed (experimentally) with PGP keyID 3CDBBC71. This key, the "EUGridPMA Distribution Signing Key 3" can be obtained from the popular PGP key servers, where it has been signed by the current PMA Chair, David Groep. It can also be downloaded from the web distribution site: GPG-KEY-EUGridPMA-RPM-3 Changes from 0.28 to 0.29 ------------------------- (27 April 2005) * New root certificate for the NIIF/Hungarnet CA, following the TACAR update * Preliminary inclusion of the SWITCH CA certificates. Note that the ordering of the components in the end-entity DN will currently prevent the end-entity certs to be validated (this is being addressed by SwissSign) * Modified layout of the tar distribution, in preparation for support of multiple authentication profiles Changes from 0.27 to 0.28 ------------------------- (6 April 2005) * Added the root certs for the newly accredited CAs "AustrianGrid" and "NIIF/Hungarnet" * updated signing policy file of SiGNET CA to handle new emailAddress DN component name * added "BalticGrid CA" in the "worthless" section, for experimentation by AndersW * UKeScience CA changed to SHA1 digest for the root certificate * new CRL and CA URLs for both CyGrid CAs Changes from 0.26 to 0.27 ------------------------- (22 February 2005) * added additional entry to UKeScience signing policy file to accomodate openssl 0.9.7c rendering of emailAddress component in the subject DN * updated DutchGrid CA cert from web site: extended lifetime to 2021 and changed digest algorithm from MD5 to SHA1 * added a tar-ball distribution with a configure scrfipt for convenience * Removed DOESG-Root from the accredited CA list, as per request of of the CA on January 28, 2005. There are no certs left issued by this CA. * Added Grid-FR CA by CNRS, and extended the signing_policy file of the associated CNRS-Projets CA. * A new root certificate for the CyGrid CA (with a new subject name). The old CyGrid CA has been moved to "-old". Both are in the accredited list. The new CRL location has been added. Changes from 0.25 to 0.26 ------------------------- * Added KFKI-RMKI-CA for Hungary * removed Spain-old Changes from 0.24 to 0.25 ------------------------- * Added the new Spain CA with hash 13eab55e and alias: Spain * Rename the Spain CA to Spain-old (expires on 2004-11-12) Changes from 0.23 to 0.24 ------------------------- * Added the Slovenian SiGNET CA with hash 747183a and alias: SiGNET * Added the SEE-GRID CA with hash 468d15b3 and alias: SEE-GRID * Added the Estonian Grid CA, with hash 566bf40f and alias: EstonianGrid * Added the updated LIP CA (called "LIPCA") with hash 11b4a5a2, which will supercede the old one with hash 41380387. The "LIP" one will remain in the repository will the end of 2005. * Added RPM requirements that reflects CA chaining: CNRS-Projects requires CNRS CNRS-DataGrid requires CNRS-Projects DOEGrids requires ESnet Changes from 0.22 to 0.23 ------------------------- * Added the root certificate for the PK-Grid CA, with MD5 fingerprint 24:A0:A7:DD:46:1B:EB:AE:7F:33:CA:5F:FA:D7:37:F8 Changes from 0.21 to 0.22 ------------------------- * A new root certificate for "Russia" (Russian DataGrid CA) has replaced the one that was valid till July 18th, 2004. The old MD5 fingerprint was AE:3D:F5:F2:DD:CF:B0:10:99:7A:6D:74:3C:FB:4A:22, the new one, valid till July 19th, 2009 is: A4:56:E2:01:E6:DB:86:F6:FC:5B:E5:6C:9D:A5:E1:06. The new root cert was received in an S/MIME signed message by Lev Shamardin, signed with a personal cert issued by the old root. The old root cert has been withdrawn from the package entirely. * The BEGrid signing_policy is not resistant against the OpenSSL 0.9.6 to 0.9.7 namechange in the emailAddress DN component. Changes from 0.20 to 0.21 ------------------------- * Added the IUCC and BEGrid root certs