Presentation is loading. Please wait.

Presentation is loading. Please wait.

The CA Distribution Process David Groep, July 2007.

Published byAlexina Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "The CA Distribution Process David Groep, July 2007."— Presentation transcript:

1 The CA Distribution Process David Groep, July 2007

2 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 2 David Groep – davidg@eugridpma.org Aim  Common naming for all registered CAs in the IGTF  In a variety of formats as suitable for our larger RPs  Well-trusted  but backed by TACAR where available

3 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 3 David Groep – davidg@eugridpma.org IGTF Distribution and Formats  Apart from validation via TACAR, the IGTF manages a distribution of all accredited authorities  formerly known as Anders’ RPM set, today also available as: JKS, tar-gz, configure && make, …  usually built by the EUGridPMA (me, actually)  mirrored twice-daily to the apgridpma.org site  copied and re-distributed by downstream vendors (EGEE/LCG, VDT, …)  also contains the fetch-crl utility (now at version 2.6.3)  Download location https://dist.eugridpma.info/distribution/

4 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 4 David Groep – davidg@eugridpma.org Implementation CVS Repository ssh access for committers only web access for IGTF members YT DG AW MK MH Buildhost local network only to CVS, dist PGP signing key on USB flash (stored in safe when not in use) DG https://dist.eugridpma.info/ ssh only from local network http/https/rsync from anywhere no other services, apache serves static content only DG YT

5 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 5 David Groep – davidg@eugridpma.org Getting into CVS (EUGridPMA process)  Supply all information specified at https://www.eugridpma.org/review/registration  In a secure way (F2F, or electronic: trivial with PGP, or with designated personal cert off your existing CA for updates)  CVS-committer (me) re-checks this information  like a limited version of the operational review  basic sanity of the root cert and CRL URL  does the contact address work?  is namespace defined and exclusive?  generate the signing_policy.conf file  based on the data provided by the CA  in some cases, the CA provides the entire EACL file  generate the derived.namespaces file therefrom  except where the ‘namespaces’ file is actually better, or in case the signing_policy.conf syntax cannot express the policy  Yoshio, or you, may use a different process, i.e. rely on the results of the operational review, or rely on what the CA gives you …

6 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 6 David Groep – davidg@eugridpma.org CVS browsing

7 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 7 David Groep – davidg@eugridpma.org Building the distribution  See https://www.eugridpma.org/review/using-cvs  on a dedicated buildhost  so a CVS update will show all changes  review all modifications, check for sanity, and update the CHANGES file for the release  Update version file, build the distribution and post on a private web page so that everyone can comment

8 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 8 David Groep – davidg@eugridpma.org Announcements  New releases built in a coordinated fashion  pre-announcement to igtf-general  version number should increase monotonically  every committer could build (using documentation and the cabuild.pl script)  each PMA should PGP-sign the RPMs and other content, but if you just mirror you get the EUgridPMA key #3 signature  Build and upload to the distribution site, and then:  builder (DG) sends announcement to igtf-general  each PMA should announce to the subscriber/RP base via their standard list (in the EUGridPMA, that’s the “announce@eugridpma.org” list)  Downstream vendors pick up the distribution

9 3 rd TAGPMA ‘Austin’ meeting – Nov 2006 - 9 David Groep – davidg@eugridpma.org A Downstream Vendor: EGEE/LCG with my EGEE SA1 hat on …  EGEE/LCG relies  on RPM and yum/apt for distribution  on fetch-crl for CRL download and management  on SAM/SFT for site monitoring and consistency follow-up  EGEE security and release process coordinators are subscribed to the eugridpma-announce list  on release, trouble ticket is entered in system (GGUS) which triggers: 1.the CA liaison (me) to build the lcg-CA RPM metapackage 2.the SAM/SFT developers to update the site functional tests 3.the middleware integration team to upload to the pre-prod repository and test the release again 4.when SAM/SFT update is done, the MW release team migrates the RPMs to the public EGEE repository and announces the update to the sites 5.All sites than have 7 (or 1) days to update. While they are not updated, SAM/SFT test show WARN  After 7 (1) days error becomes critical and site is blocked by most VOs http://goc.grid.sinica.edu.tw/gocwiki/Procedure_for_new_CA_release

Download ppt "The CA Distribution Process David Groep, July 2007."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
Version Control What it is and why you want it. What is Version Control? A system that manages changes to documents, files, or any other stored information.

Version Control What it is and why you want it. What is Version Control? A system that manages changes to documents, files, or any other stored information.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Lecture 12 e-mail Security. Summary  PEM  secure email  PGP  S/MIME.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.

SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file www.gridpp.ac.uk grid “ping”

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra
© 2011 Delmar, Cengage Learning Chapter 7 Managing a Web Server and Files.

© 2011 Delmar, Cengage Learning Chapter 7 Managing a Web Server and Files.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

Similar presentations

Ads by Google