============================================================================== Welcome to the Trust Anchor Distribution of the v20091026-1 International Grid Trust Federation IGTF ============================================================================== The International Grid Trust Federation (IGTF) maintains a list of trust anchors, root certificates and related meta-information for all the accredited authorities, i.e., those that meet or exceed the criteria mentioned in the Authentication Profiles accepted by the IGTF. For a list of those profiles, please refer to the web site http://www.igtf/net/ This site contains the Common IGTF Distribution, including the certificates, certificate revocation list (CRL) locations, contact information, and signing policies. The Distribution is periodically updated to reflect changes in the trust fabric, and Relying Parties of the IGTF are advised to keep the list of installed trust anchors up to date. Changes to the trust fabric are announced via the constituent PMAs and via the EUGridPMA Newsletter. This newsletter carries IGTF information intended for relying parties. For information about the newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ ------------------------------------------------------------------------------ What is contained in the IGTF Trust Anchor Distribution ------------------------------------------------------------------------------ *** All Accredited Authority trust anchors are contained below the "accredited/" folder in the distribution web site. That is, ONLY data retrieved from https://dist.eugridpma.info/distribution/current/accredited/ and further down the tree is guaranteed to be related solely to accredited authorities. *** The Policy Installation Bundle at the top-level directory can be used to support a conventional "./configure && make install" style installation but users MUST be aware that the --with-profile option is mandatory, and it allows installation of experimental or worthless authorities when so instructed by the installer. *** ONLY CAs IN THE "accredited/" DIRECTORY and THE CAs INSTALLED USING THE ca_policy_igtf-classic--1.noarch.rpm ARE ACCREDITED Do *not* install certificates from the "worthless/" or "experimental/", directories, except if you yourself review and accept their policy and practice statement. The EUGridPMA provides these certificates in this format for your convenience only, and to allow graceful changeover for legacy installations. *** All individual CAs packages, as well as the bundles, have the same (common) version number and release. ------------------------------------------------------------------------------ Distribution formats ------------------------------------------------------------------------------ * the distribution containes RPMs and tar-balls of each accredited authority, as well as meta-RPMs that depends on the RPMs of those accredited. * the tar "bundle" can be used to install the authorities in a local trust anchor directory using the "./configure && make install" process: igtf-policy-installation-bundle-.tar.gz * the accredited directory contains tar-balls for all "classic", "mics", and "slcs" accredited CAs: igtf-preinstalled-bundle-classic-.tar.gz igtf-preinstalled-bundle-slcs-.tar.gz igtf-preinstalled-bundle-mics-.tar.gz also a symbolic link without the identifier is available. * those CAs whose key-length is less than or equal to 2048 bits are also available in a Java KeyStore (JKS), whose password is "" (empty string). These is both a JKS for each individual CA, as well as a "igtf-policy-accredited-classic-.jks" in the "accredited/jks/" sub-directory (also for -slcs and -mics). ------------------------------------------------------------------------------ APT and Yum ------------------------------------------------------------------------------ The repository is suitable for "yum" based automatic updates, by adding to the yum.conf file or to the /etc/yum.repos.d/ directory a file containing: [eugridpma] name=EUGridPMA baseurl=http://dist.eugridpma.info/distribution/igtf/current/ gpgcheck=1 gpgkey=https://dist.eugridpma.info/distribution/igtf/current/GPG-KEY-EUGridPMA-RPM-3 or the equivalent baseurl for the APGridPMA hosted mirror site at http://www.apgridpma.org/distribution/igtf/current/ Also "apt" is supported for RPM installation. For details, see https://dist.eugridpma.info/distribution/igtf/current/apt/README.txt Large deployment projects are kindly requested to mirror these directories in their own distribution repositories. ------------------------------------------------------------------------------ RPM GPG signing ------------------------------------------------------------------------------ This RPM distributions are distributed with GPG-signed RPMs. The key (with ID 3CDBBC71) has been uploaded to the public key servers, along with the signature of the EUGridPMA Chair (keyID 6F318418). The key is also contained in the repository. You will need this key if you enable GPG checking for automatic updates in "yum" or "apt". Please remember to validate this distribution against the TERENA TACAR trusted repository (https://www.tacar.org/) where possible.