Index of /distribution/egi/current
European Grid Infrastructure EGI Trust Anchor release 1.135 2025.05.05
------------------------------------------------------------------------------
For release DOCUMENTATION available on this EGI Trust Anchor release see
the EGI operations manual HOWTO-01 at https://edu.nl/envyq
------------------------------------------------------------------------------
This is the EGI Trust Anchor release, based on the updated IGTF Accredited CA
distribution version 1.135-1 with the specific DOGWOOD CA in
meta-package "ca-policy-egi-combined-adequacy-model-1.135-1"
that supports the model of joint assurance provision as detailed in the
EGI Policy on Acceptable Authentication Assurance.
The following notices are republished from the IGTF, inasfar as pertinent to
this release. Details are found in the newsletter https://www.eugridpma.org/
Changes from 1.134 to 1.135
---------------------------
(5 May 2025)
* Updated SlovakGrid trust anchor with extended validity (SK)
* Withdrawn discontinued HPCI CA (JP)
NOTE: the _default_ package signing key has changed to the 4th generation
for increased security and compatibility. The new key is a 2048 bit
RSA with fingerprint 565F4528EAD3F53727B5A2E9B055005676341F1A.
The GPG public key file can be retrieved from
https://dl.igtf.net/distribution/current/GPG-KEY-EUGridPMA-RPM-4
and imported on rpm-based distributions with 'rpmkeys --import <file>'
or on Debian (apt) based systems set in Signed-By in sources.list or
added as a file in /etc/apt/trusted.gpg.d/
This change was first announced in the 1.122 release (August 2023),
but a distribution signed with the generation-3 key remains available.
A signature of the gen-4 key signed by the gen-3 GPG key is available
from https://dl.igtf.net/distribution/current/ for validation.
The CA modifications encoded in both "requires" and "obsoletes" clauses (RPM)
and Conflicts/Replaced clauses (Debian) have been incorporated in the above-
mentioned meta-packages. This release is best enjoyed with fetch-crl v3 or
better, available from GNU/Linux OS add-on repositories Fedora, EPEL, Debian,
and from the IGTF at https://www.igtf.net/fetch-crl
Policy on Acceptable Authentication Assurance
---------------------------------------------
If a Community or e-Infrastructure registration service is accredited by EGI
to meet the approved authentication assurance level, also an IGTF "DOGWOOD"
accredited Authority, used in combination with such a service, is sufficient.
HOWTO01, https://edu.nl/envyq#combined-assuranceadequacy-model has the details.
TECHNICALLY THIS MEANS ...
that you must ONLY install the new ca-policy-egi-cam packages if you ALSO
at the same time implement VO-specific authorization controls in your
software stack. This may require reconfiguration or a software update.
OTHERWISE
just ONLY install or update the regular ca-policy-egi-core package. There
are no changes in this case. The ca-policy-egi-core package is approved for
all VOs membership and assurance models. No configuration change is needed.
Version information: ca-policy-egi-combined-adequacy-model = 1.135-1