Showing posts with label CA. Show all posts
Showing posts with label CA. Show all posts
Wednesday, 7 January 2009
OpenSSL vulnerability
There is a new vulnerability in OpenSSL in all versions prior to 0.9.8j, discovered by Google's security team. You will be happy to learn that the Grid PKI is not affected by the vulnerability since it uses RSA signatures throughout - only DSA signatures and ECDSA (DSA but with Elliptic Curves) are affected. (Of course you should still upgrade!)
Monday, 29 September 2008
New IGTF distribution 1.25
What's new? NCHC is back in (Taiwan), new keys not vulnerable to Debian incident. A number of metadata files were updated.
There is a new group, the IGTF RAT, Risk Assessment Team, which covers the whole world, timezone-wise (or close enough). The idea is when a vulnerability is announced via the IGTF, the RAT assesses the risk and alerts the CAs concerned. The idea, of course, comes from the Debian incident where "most" CAs had responded within a week but "most" is not good enough. So the RAT ran a test, alerting each CA to see how long it took to respond via the address advertised in the .info file. Of all currently accredited CAs, about 75% responded within 24 hours (including the UK!), but some took over a week and a second prodding. For many CAs it highlighted communications problems in their infrastructure as mail was being flagged as spam etc; these should be addressed in this release.
From a day-to-day operations point of view, you may be relieved to find the new FNAL certificate updated in the "experimental" folder, since the old one was due to expire soon.
https://dist.eugridpma.info/distribution/igtf/current/
There is a new group, the IGTF RAT, Risk Assessment Team, which covers the whole world, timezone-wise (or close enough). The idea is when a vulnerability is announced via the IGTF, the RAT assesses the risk and alerts the CAs concerned. The idea, of course, comes from the Debian incident where "most" CAs had responded within a week but "most" is not good enough. So the RAT ran a test, alerting each CA to see how long it took to respond via the address advertised in the .info file. Of all currently accredited CAs, about 75% responded within 24 hours (including the UK!), but some took over a week and a second prodding. For many CAs it highlighted communications problems in their infrastructure as mail was being flagged as spam etc; these should be addressed in this release.
From a day-to-day operations point of view, you may be relieved to find the new FNAL certificate updated in the "experimental" folder, since the old one was due to expire soon.
https://dist.eugridpma.info/distribution/igtf/current/
Monday, 4 February 2008
Out in the big world
Thought I'd start blogging some CA stuff because a lot of things happen which you may not otherwise hear about (or indeed care about, but at least you have the option). CAs are kind of operational so I thought it fits OK here. It ain't storage, that I know (except see below).
Starting in the big world, we now have Ukraine and Morocco on board. I was a reviewer for both. Much of my review work (specifically travel to the meetings) is funded by GridPP, so we can count this as yet another GridPP contribution to the global grid, I'd have thunk. If that helps.
Anyway, a review often takes many iterations (I counted nine with someone, Mexico I think, and we're still not quite done), and the whole process from being a glint in someone's eye to being a fully accredited CA can take years. There is usually two reviewers, occasionally three, all of whom need to say "aye". There is some grumbling - particularly in a certain large country with more than one CA - that it takes so long, and they would like to cut corners. I am working on some IGTF stuff which should speed up the process without the corner cutting but it's a bit experimental. Other people from the afore-not-mentioned country have had related ideas and this will be tied in.
Latvia have applied for membership (I am also a reviewer here); they were previously covered by the Estonian run BalticGrid CA (which incidentally I also reviewed back in '05), but for various reasons now want one for themselves. Lithuania is still in BalticGrid with no plans otherwise.
Among the more politically interesting, we find the area known as FYROM or Macedonia, depending on who you ask, who want to join with a CA under the name of Macedonia which made the Greek jump. Iran is now also interested in joining and have started setting up a CA, unfortunately they find it hard to travel and even videoconferencing with them can be embargoed. I am not reviewing those two though.
Oh, and a tearful goodbye and cheerio to the old CERN CA, headed by Ian Neilson. The CA community expressed its gratitude to the CA which was one of the earliest ones. Since CAs must archive everything for at least three years, Ian is now wondering how to archive about 1TB's worth of email which is mostly spam...
Incidentally, CERN and INFN who both have expired CAs noticed a large number of attempted CRL downloads, which indicates that someone's systems haven't been updated. On CERN's list, at #8, was a UK site which shall remain nameless. It was an NGS site, though.
Belgium is also under new management, so to speak, which looks very promising. Till now they were very quiet and it's better that CAs make (the right kind of) noises.
Meanwhile, folk in Armenia are interested in spreading PKI to other countries in the region, the "Silk Highway". This will be based on OpenCA but is so far only a proposal. More on this if it gets funded.
That's all for now. I think next post will be internal - UK e-Science CA notes.
Oh, and about the rollover problems, I filed a bug report against CERN but I'm not confident it ended up in the right hands. Not just our headache, I counted four other CAs who are currently rolling over, with another nine starting rollover later this year. It is a bug, Grid CAs only guarantee the subject DN. More later (or on dteam).
Starting in the big world, we now have Ukraine and Morocco on board. I was a reviewer for both. Much of my review work (specifically travel to the meetings) is funded by GridPP, so we can count this as yet another GridPP contribution to the global grid, I'd have thunk. If that helps.
Anyway, a review often takes many iterations (I counted nine with someone, Mexico I think, and we're still not quite done), and the whole process from being a glint in someone's eye to being a fully accredited CA can take years. There is usually two reviewers, occasionally three, all of whom need to say "aye". There is some grumbling - particularly in a certain large country with more than one CA - that it takes so long, and they would like to cut corners. I am working on some IGTF stuff which should speed up the process without the corner cutting but it's a bit experimental. Other people from the afore-not-mentioned country have had related ideas and this will be tied in.
Latvia have applied for membership (I am also a reviewer here); they were previously covered by the Estonian run BalticGrid CA (which incidentally I also reviewed back in '05), but for various reasons now want one for themselves. Lithuania is still in BalticGrid with no plans otherwise.
Among the more politically interesting, we find the area known as FYROM or Macedonia, depending on who you ask, who want to join with a CA under the name of Macedonia which made the Greek jump. Iran is now also interested in joining and have started setting up a CA, unfortunately they find it hard to travel and even videoconferencing with them can be embargoed. I am not reviewing those two though.
Oh, and a tearful goodbye and cheerio to the old CERN CA, headed by Ian Neilson. The CA community expressed its gratitude to the CA which was one of the earliest ones. Since CAs must archive everything for at least three years, Ian is now wondering how to archive about 1TB's worth of email which is mostly spam...
Incidentally, CERN and INFN who both have expired CAs noticed a large number of attempted CRL downloads, which indicates that someone's systems haven't been updated. On CERN's list, at #8, was a UK site which shall remain nameless. It was an NGS site, though.
Belgium is also under new management, so to speak, which looks very promising. Till now they were very quiet and it's better that CAs make (the right kind of) noises.
Meanwhile, folk in Armenia are interested in spreading PKI to other countries in the region, the "Silk Highway". This will be based on OpenCA but is so far only a proposal. More on this if it gets funded.
That's all for now. I think next post will be internal - UK e-Science CA notes.
Oh, and about the rollover problems, I filed a bug report against CERN but I'm not confident it ended up in the right hands. Not just our headache, I counted four other CAs who are currently rolling over, with another nine starting rollover later this year. It is a bug, Grid CAs only guarantee the subject DN. More later (or on dteam).
Friday, 9 February 2007
EU PMA Version 1.12 out
Version 1.12 of the EU PMA certificates are available. Since LCG in their infinite wisdom sometimes don't tell you the content, here's what's new, with my annotations:
* Extended life time of root certificate for SlovakGrid (SK)
* Extended life time of root certificate for PolishGrid (PL)
These will cause headaches for people with NSS-based browsers, like Moz and FF, but only for people with certs from these CAs.
* Fixed SHA-1 finger print for new SiGNET CA (SI)
Possibly also this one. Not sure which fingerprint was fixed here. Could just be the one in the .info file.
* Obsoleted Russian DataGrid CA also in RPM updates (RU)
No worries - no live certs.
* Add NECTEC GOC CA (TH)
This is Thailand - it was already accredited by AP Grid PMA. Probably mostly helpful for people using the GOC Wiki - if you import it into your browser.
* Added SWITCH Personal and Server 2007 CAs, removed 2005 CAs (CH)
No problem - just servers and stuff. SWITCH hierarchy is interesting in many ways.
* Changed CRL URL of the NAREGI CA from https to http (JP)
This is good. Serving CRLs over https is asking for some systems to deadlock.
To do https you need to check the CRL. To check the CRL you need to use https. Repeat.
Next version expected around March. Share and enjoy.
* Extended life time of root certificate for SlovakGrid (SK)
* Extended life time of root certificate for PolishGrid (PL)
These will cause headaches for people with NSS-based browsers, like Moz and FF, but only for people with certs from these CAs.
* Fixed SHA-1 finger print for new SiGNET CA (SI)
Possibly also this one. Not sure which fingerprint was fixed here. Could just be the one in the .info file.
* Obsoleted Russian DataGrid CA also in RPM updates (RU)
No worries - no live certs.
* Add NECTEC GOC CA (TH)
This is Thailand - it was already accredited by AP Grid PMA. Probably mostly helpful for people using the GOC Wiki - if you import it into your browser.
* Added SWITCH Personal and Server 2007 CAs, removed 2005 CAs (CH)
No problem - just servers and stuff. SWITCH hierarchy is interesting in many ways.
* Changed CRL URL of the NAREGI CA from https to http (JP)
This is good. Serving CRLs over https is asking for some systems to deadlock.
To do https you need to check the CRL. To check the CRL you need to use https. Repeat.
Next version expected around March. Share and enjoy.
Subscribe to:
Posts (Atom)