European Grid Infrastructure EGI Trust Anchor release 1.92 2018.06.25 ------------------------------------------------------------------------------ For release DOCUMENTATION available on this EGI Trust Anchor release see https://wiki.egi.eu/wiki/EGI_IGTF_Release ------------------------------------------------------------------------------ This is the EGI Trust Anchor release, based on the updated IGTF Accredited CA distribution version 1.92-1 with the specific DOGWOOD CA in meta-package "ca-policy-egi-combined-adequacy-model-1.92-1" that supports the model of joint assurance provision as detailed in the EGI Policy on Acceptable Authentication Assurance. IMPORTANT NOTICE: This release contains a new "cam" (combined assurance/adequacy) package based on the approved policy on differentiated assurance. See details on the EGI Wiki at https://wiki.egi.eu/wiki/EGI_IGTF_Release#cam-impl TECHNICALLY THIS MEANS THAT you must ONLY install the new ca-policy-egi-cam packages if you ALSO at the same time implement VO-specific authorization controls in your software stack. This may require reconfiguration or a software update. See https://wiki.egi.eu/wiki/EGI_IGTF_Release#cam-impl OTHERWISE just only install or update the regular ca-policy-egi-core package. There are no changes in this case. The ca-policy-egi-core package is approved for all VOs membership and assurance models. No configuration change is needed. With the introduction of combined assurance/adequacy, the EGEE compatibility RPM (lcg-CA) can no longer be supported, and - when still installed - will be obsoleted. The proper dependency packages are: ca-policy-_body_-_class_ and these have been installed automatically as dependencies since 2010. The following notices are republished from the IGTF, inasfar as pertinent to this release. Details are found in the newsletter https://www.eugridpma.org/ Changes from 1.91 to 1.92 ------------------------- (25 Jun 2018) * Added HKU CA 2 trust anchor during transitioning period (HK) The CA modifications encoded in both "requires" and "obsoletes" clauses (RPM) and Conflicts/Replaced clauses (Debian) have been incorporated in the above- mentioned meta-packages. This release is best enjoyed with fetch-crl v3 or better, available from GNU/Linux OS add-on repositories Fedora, EPEL, Debian, and from the IGTF at https://www.igtf.net/fetch-crl Policy on Acceptable Authentication Assurance (Updated 1 Feb 2017) ------------------------------------------------------------------ If a VO registration service or e-Infrastructure registration service is accredited by EGI to meet or exceed the approved authentication assurance profiles, an IGTF accredited Authority meeting the Assurance Profile DOGWOOD - used solely in combination with said registration service - is also adequate for user authentication. This policy has been adopted on Feb 1st, 2017, and is available at https://documents.egi.eu/document/2930 In the PKI Technology Rendering, EGI thus approves the IGTF SLCS, MICS, and Classic APs for general use (egi-core), and in addition the IOTA AP for use in combination with VO registration services that themselves meet the aforementioned requirements. This additional restriction must be implemented by each service in the authorization software. The "combined assurance" model package must not be installed unless the additional authorization is in place. You will need to reconfigure and may need to install upgrades. Version information: ca-policy-egi-combined-adequacy-model = 1.92-1