IGTF-Distribution-Process
advertisement
Category: technical documentation Status: DRAFT Document: 533582878 Editor: David Groep - Michael Helm Last updated: Wed, 09 March 2016 Total number of pages: 13 IGTF Distribution Process Abstract This document describes briefly the process of building and distributing the IGTF trust anchors. Table of Contents 1 2 3 4 5 6 7 Scope of this document................................................................................................................... 3 Introduction ...................................................................................................................................... 3 Where to Get the Distribution.......................................................................................................... 4 3.1 Primary distribution .................................................................................................................. 4 3.2 Other mirrors ............................................................................................................................ 4 3.3 rsync ......................................................................................................................................... 4 Distribution Components ................................................................................................................. 4 4.1 CA Information ......................................................................................................................... 4 4.1.1 CA Trust Anchor – traditional Grid components: ........................................................... 4 4.1.2 CA metadata .................................................................................................................... 4 4.2 CVS Repository ....................................................................................................................... 5 4.2.1 carep module organization .............................................................................................. 5 4.3 PGP/GPG signing key............................................................................................................. 6 4.4 Distribution Products ............................................................................................................... 6 4.4.1 Mirrors and distribution sites ........................................................................................... 6 4.4.2 Distribution contents ........................................................................................................ 6 Updating the Distribution ................................................................................................................. 8 5.1 Updating the CVS Repository ................................................................................................. 8 5.1.1 Background – Policy........................................................................................................ 8 5.1.2 Process - direct ................................................................................................................ 8 5.1.3 Process – Indirect ............................................................................................................ 9 5.2 Building the Distribution ........................................................................................................... 9 5.2.1 Check the Revision.......................................................................................................... 9 5.2.2 Commit and Tag the version ........................................................................................... 9 5.2.3 Build the Distribution products ........................................................................................ 9 5.3 Signing the distribution ..........................................................................................................10 5.4 Announcing and posting the distribution ..............................................................................10 5.4.1 Pre-releases ...................................................................................................................10 5.4.2 Released Distributions...................................................................................................10 Distribution Business Relationships .............................................................................................11 6.1 Relationship with IGTF, IGTF PMAs, and IGTF CAs ..........................................................11 6.2 Relationship with TACAR self-signed CA repository ...........................................................11 6.3 Relationship with Grid software distributions .......................................................................11 6.4 Relationship with commercial and other non-Grid CAs.......................................................11 Distribution Operations ..................................................................................................................11 7.1 Software and hardware .........................................................................................................12 7.2 Personnel - local and external (regional PMA) ....................................................................12 The European Grid Authentication Policy Management Authority in e-Science http://www.eugridpma.org/ the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 page 2/13 Dated: 09 Mar 2016 7.3 Security keys ..........................................................................................................................12 8 Security ..........................................................................................................................................12 9 References.....................................................................................................................................12 Appendix A Examples ...................................................................................................................13 A.1 Example CA metainfo and files.............................................................................................13 A.2 Content list of distributions ....................................................................................................13 the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 1 page 3/13 Dated: 09 Mar 2016 Scope of this document This document describes the current organization and operation of the IGTF Common Trust Anchor Distribution (“the Distribution”). It is closely allied with the TERENA Academic CA Repository (“TACAR”) and software distribution services such as Virtual Data Toolkit (“VDT”). Only interfaces to such organizations will be described. IGTF and each regional PMA in IGTF have their own rules and process for approving Certification Authorities (CAs) and adding them to the Distribution; this document will describe what data is needed from each CA in order to be added to the Distribution, and how the Distribution is built; but the policies and procedures for arriving at approval appear in other IGTF or regional PMA documents. This is a snapshot in time of this service. Circumstances and requirements change, and the Distribution service changes in response. This document is intended to provide useful information to operators and users of this service, but does not represent a permanent commitment to the features presented, nor a fixed specification. 2 Introduction [Cross references needed in doc] The Distribution is a collection of “trust anchors” in a variety of formats suitable for Grid relying parties. These trust anchors have completed an approval process in one of the IGTF regional policy management authorities (PMAs) resulting in “accreditation”, and a request for enrollment in the Distribution. These trust anchors consist of CA signing certificates, and other metadata associated with each CA, as described below. They are organized into sets of files and these files are served from a trusted and secure repository hosted at NIKHEF in Amsterdam, on behalf of the IGTF. The contents are mirrored at one or more sites in other locations. Distribution content and organization have been developed in consultation with some of the larger Grid organizations and relying parties. The Distribution is also collaborating with the TACAR registry (link), which provides additional organizational checks and supports the wider community of NREN and academic PKIs used in various research projects. A uniform and consistent distribution of these trust anchors is very important to the security and stability of several large scale experiments and Grid consortia (enumerate?). The Distribution began in the early days of the EDG CA Operator’s group, as a service for the EDG partners and users. An RPM-based distribution was organized by Anders Wäänänen, a table of links and contact information was provided by Sophie Nicoud, and a CRL retrieval script was contributed by Fabio Hernandez. Other Grid organizations in the US, Asia, and elsewhere in the world either adopted this RPM distribution or used it as the basis for their own repository services. As regional Grid CA PMAs were established and joined together to form the IGTF, each had the obligation to provide repository and registry services for their members. In addition, Grid middleware required additional forms of the repository – Java environments need a Java Key Store (JKS) form of the distribution. In addition to these drivers, as Grid usage expanded around the world, and world-wide collaborative projects became possible, the need for a consistent, trustable distribution of Grid trust anchors increased…. [NIKHEF and / or David Groep added and currently support these improvements as well as others.] [Formation of TAPGMA and chartering of IGTF … Boston GGF Sep 2005 …] [Perhaps this section should describe _who_ should read _what_ eg repackagers should look at <X>, committers <Y> &c] the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 3 page 4/13 Dated: 09 Mar 2016 Where to Get the Distribution [Probably this “Get the Distro” section should describe everything you need to get and install a distribution copy w/o access to the other channels – javastore password – where to monitor announcements – what else?] The structure and contents of the Distribution are discussed in detail below. 3.1 Primary distribution URL: https://dist.eugridpma.info/distribution 3.2 Other mirrors Currently http://www.apgridpma.org/distribution/igtf/ (synchronizes twice a day). 3.3 rsync rsync can be used to create a mirror (for a project or other regional PMA), and is encouraged. [what needs to be set up here] [obviously wget –r <distro-url> or some variant works too, altho slowly] 4 Distribution Components The Distribution collects information about IGTF trust anchors in a set of files. The CA information files are the basic elements of the Distribution. 4.1 CA Information Files use this naming convention: <hash>.<ext> where <hash> is the “subject name hash”, the output of this openssl command: openssl x509 –noout –in <CA signing certificate> … <ext> will be defined in each case below as needed. 4.1.1 CA Trust Anchor – traditional Grid components: <hash>.0 CA signing certificate in base-64 (“PEM”) format <hash>.signing_policy CA signing_policy file; see below 4.1.2 CA metadata 1 <hash>.info Template for the “info” file: This file must be in UNIX text file format (namely in ASCII characters with lines ending in LF or ASCII encoding 0x0a). [Should be a table?] alias [short name for CA, no spaces] url [URL for CA’s main web page] ca_url [URL for CA signing certificate on above web page] crl_url [URL for CRL on above web page] email [email address for inquiries] status:<state>:<profile type] the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 page 5/13 Dated: 09 Mar 2016 We currently have “classic”, “slcs” and “mics” as accepted profile types. All CAs in the “accredited” category of the distribution (see below) will report “accredited” status; other possible values are “experimental” and “worthless”. sha1fp.0 [SHA1 fingerprint of CA signing certificate] version Several of these fields can be generated automatically [sha1fp.0 and version; which others?] 2 CA Application Form [Maybe we could just put this in an appendix] An online version of this form can be found here: https://www.eugridpma.org/review/registration It includes some of the metadata above 3 <hash>.info file – see above CA subject name (case insensitive) in OpenSSL X509_one_line format CA signing namespace(s) in OpenSSL X509_one_line format (or see signing policy below) CA signing certificate in PEM format URL for CP/CPS on CA web site Contact information for CA manager/operator (physical address, telephone/fax numbers) crl_url file This file is optional in the submission phase, but is a required product of the distribution. It can be generated by cabuild.pl from the crl_url attribute in <hash>.info above. 4 signing_policy file This file describes the namespaces for which the CA is authoritative. It can be generated automatically from X509_one_line format [where is this defined] and should be checked by the committer (see below). 5 CA relationship information This is needed in order to encode “requires” directives and RPM dependencies [ also for YUM? For other?] for hierarchies of CAs. 4.2 CVS Repository The core of the Distribution is the management of CA information files and other components in the CVS Repository. The repository can be browsed by community members (login required) at https://cvs.eugridpma.org/cgi-bin/cvsweb.cgi/carep/. The CVS Repository is used to manage sets of files consisting of the IGTF trust anchors and associated information, and also some of the tools used to build distributions from those files. The CVS Repository should not be considered a separate form of the Distribution, or used as such. 4.2.1 carep module organization 1 Buildtools Contains scripts, text files, and some README files. 1.1 mknamespace – mknamespace generates the <hash>.namespace file from <hash>.signing_policy file 1.2 *README* - These are the text or information content source files for many of the branches of the online distribution tree (see below). 1.3 cabuild.pl This script builds the distribution. The technical description and structure of the IGTF distribution is embedded and implicit in this script. It creates the directory structure, extracts the CA information and locates it in appropriate distribution locations, stamps versions, links dependencies (RPMs), the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 page 6/13 Dated: 09 Mar 2016 copies README files and edits them for appropriate locations. It also supports the RPM signing with a PGP key. It builds the various metadata needed by RPM package managers like APT [ref] and YUM [ref]. cabuild.pl does some sanity checking on the distribution metadata. It will return errors if trust anchors or metadata are missing. It will report signing certificates that are within 180 days of expiration. 2 misc Contains some uncategorized but useful CAs not in the accredited lists. 3 Regional PMA branches Each regional PMA accredits and enrolls CAs drawn from its membership and scope of work, and each has a separate branch in the repository. The regional PMA will check in, for each enrolled CA, the CA information files (described above): the CA trust anchor and metadata files (signing certificate, info, namespace, and signing_policy files). [List 3 current branches?] 4 5 PGP/GPG public key certificate (see below) CHANGES Contents of CVS logging - record of additions, modifications, and deletions of CAs, metainfo, and distribution tools. 4.3 PGP/GPG signing key The distribution signing key is kept on a flash memory device locked in a safe in Amsterdam. Operations personnel have access to the safe and device, but not the passphrase for the private key, which is known only to the Distribution managers. The current key specification: 4.4 4.4.1 Key name “EUGridPMA Distribution Signing Key 3 <info@eugridpma.org>”. PGP keyed: 3CDBBC71. PGP fingerprint : D1 2E 92 28 22 BE 64 D5 01 46 18 8B C3 2D 99 C8 3C DB BC 71 This key can be found on the PGP keyserver network1 Distribution Products Mirrors and distribution sites [This is same as “where to get” section above – left here from my version. We could cross reference and use this spot as a description for how to make mirrors.] 1 Primary URL: https://dist.eugridpma.info/distribution 2 Other mirrors Currently http://www.apgridpma.org/distribution/igtf/ (synchronizes twice a day). 3 rsync (for mirrors) [what needs to be set up here] 4.4.2 Distribution contents The current directory tree structure of the Distribution is described below. 1 http://minsky.surfnet.nl:11371/pks/lookup?op=vindex&search=info%40eugridpma.org&fingerprint=o n for the key signatures, or http://minsky.surfnet.nl:11371/pks/lookup?op=get&search=0xC32D99C83CDBBC71 for the public key. Most PGP keyservers should provide this same key. Category: technical documentation Status: DRAFT Document: 533582878 Editor: David Groep - Michael Helm Last updated: Wed, 09 March 2016 Total number of pages: 13 1 2 3 3.1 3.2 3.3 3.4 Outdated – some very old distributions IGTF – Distributions since founding of IGTF; points to current Util – Associated utilities repodata – YUM metadata patches – patches for utilities headers - ? fetch-crl A script that downloads CRLs from each <hash>.crl_url available; plus README, sample crontab configuration. 4 5 5.1 tests – test data/distributions current – the current distribution igtf-policy-intallation-bundle* This is a collection of CA information files in a format suitable for a repackager to use. Additional CAs could be added or existing ones subtracted […explain…]. Also a signed .asc file. 5.2 igtf-preinstalled-bundle-* CA information files, sorted by profile. [For use by repackager or some other format?] 5.3 accredited.in CA alias name and profile accreditation 5.4 tgz Each CA information file set, one tar-zip file per CA. Plus a policy bundle [what is this for], listing each CA and revision number [except all rev nos are the same]. 5.5 jks – Java Key Store Organized like tgz directory, one jks per CA. JKS currently only uses the CA signing certificate, the other trust anchor and CA information files are not used. Also includes an all-classic and all-slcs bundle [what about all-everything and all-mics?]. Not signed. 5.6 5.7 headers – repodata - ? Accredited CAs CA information files are tagged with a profile_type in the status attribute (see earlier). Because each CA profile has inherently different policy and perhaps a different level of assurance, profiles are bundled separately so that relying parties would make a decision to accept a profile rather than being forced to accept them by default2. Generated by the cabuild.pl script – [how/when signed?] 4.4.2.5.7.1 RPMs There is one RPM v3 file per set of CA trust anchor + metadata files. CA policy files [description] The RPM installs the five CA information files in /etc/grid-security/certificates. The RPM contains a PGP signature for integrity/authenticity 4.4.2.5.7.2 4.4.2.5.7.3 SRPMs [source package files – installs gzipped tar balls] jks This is a set of Java Key Store files. The password is [look for this; why a password]. 4.4.2.5.7.4 tgz This is a set of CA information files in tar + gzip format. 4.4.2.5.7.5 Accredit.in A manifest. 4.4.2.5.7.6 Bundles of tar files [description]? 5.8 Experimental, worthless, distributions [use index file from web] 2 David Groep, email message 08 Aug 2007 to the TG-Security mailing list. The European Grid Authentication Policy Management Authority in e-Science http://www.eugridpma.org/ the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 Dated: 09 Mar 2016 CHANGES – Release change log GPG public key certificate Version number 5.9 5.10 5.11 5 page 8/13 Updating the Distribution Figure 1 The Distribution Update Process 5.1 Updating the CVS Repository Committers appointed by the Regional PMAs update their respective branches. The Distribution managers update the code and PGP sections as needed. Conventional CVS tools are used, remote access to the repository is managed with ssh public keys. Current information about the IGTF https://www.eugridpma.org/review/using-cvs CVS Repository can be found here: This web page has up to date information on build policies, tools, accounts, and other information related to the repository. 5.1.1 Background – Policy Each Regional PMA appoints at least one “committer” – someone who will do the actual enrollment of the regional PMA’s CAs into the distribution. The committer establishes a relationship with the manager of Distribution through PKI and/or a face to face meeting. The committer provides an ssh public key to the Distribution manager, who creates and provides a local account for CVS access via ssh for the committer. The committer uses these local shell definitions for CVS client: CVSROOT=:ext:<account>@cvs.eugridpma.org/cvs/eugridpma CVS_RSH=ssh Where <account> is the account name provided to the committer by the Distribution management. 5.1.2 Process - direct The committer will download and interact with the CA distribution module – carep – through the typical CVS commands. The committer will add CA trust anchors and metadata files, change existing files, or delete files as appropriate. The committer must only modify files in the appropriate scope of responsibility – namely, the committer must only add or modify CAs from the regional PMA that has appointed the committer. the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 page 9/13 Dated: 09 Mar 2016 The committer should be familiar enough with CVS to know how to use the appropriate add, update, commit, and logging commands in CVS. The committer should perform some sanity checks on the contents of additions or changes before committing them. The CA trust anchor and metadata information must be complete, and the signing policy and CRL_URL pointer must be correct, or the CA’s customers may not be able to interoperate with Grid users and services. [The committer should notify the Distribution manager when updates have been made.][Does the CVS process send notification to the Distrib team members or ?]. 1 Namespaces <hash>.signing_policy and <hash>.namespaces should be checked carefully. Presumably, the sponsoring PMA and the CA operator will have checked the signing_policy file for correctness, but not all errors have been caught prior to the Distribution build stage. CVS committers should use the mknamespaces utility to generate a new <hash>.namespaces file, and make sure that the results are correct. In particular, quoting of trusted paths must be done correctly [The specific problems and instructions should be stated.] 5.1.3 Process – Indirect A trusted authority for changes to the distribution (such as a regional PMA chairperson) may interact indirectly with the managers of the Distribution, or a trusted committer. This authority sends the committer a message containing the information in the “Application Form” (see above). The message should be sent in a trusted way – in a face to face meeting, or electronically with a signed PGP or S/MIME message, or notarized, or in some other fashion. The designated committer will then interact directly with the Distribution CVS Repository as above. 5.2 Building the Distribution [I cribbed most of this from the “using-cvs” page, the slides, and a few details I remember from the oral presentation] Typically, a distribution build is done on a clean, dedicated system, to minimize the possibility of errors, unwanted revisions and interactions, and other problems. 5.2.1 Check the Revision cvs update -R -A -d . in the local copy of the carep module 5.2.2 Commit and Tag the version [What is the “tagging” standard] Version numbers should increase monotonically. 5.2.3 Build the Distribution products [This needs to be explained some – why are there 2 different lines with 2 different sets of options?] cd buildtools/ ./cabuild.pl -f -s -o /tmp/dist --version=AUTO * The build tools are now in a separate directory "carep/buildtools/" and /from that directory/, you can issue a single command to build the entire thing: .../carep/buildtools$ ./cabuild.pl --gver=0.33 --release=0.test1 the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 page 10/13 Dated: 09 Mar 2016 and optionally append a "-f" option to wire the old build directory first. The result will be the complete distribution tree in "../distribution/" by default (use "-o distdir" to put it somewhere else). The status field of a CA in its <hash>.info file determines whether or not the corresponding distribution files for that CA will be built. If it belongs to a supported profile, it will be built; if its status has been changed to discontinued it will not be built [what about other status?]. 5.3 Signing the distribution The distribution is currently signed by the IGTF Distribution PGP key (see cert above). The IGTF signer is [… describe and how the key is managed.] Building a signed distribution is an additional command line option; add “--sign” above. The approved signer must know the signing pass phrase, have the device installed, and have the appropriate attributes for signing in ~/.rpmmacros [we could put the example here or in footnotes or in appendix?] [There is the intention that every committer or every PMA anyway would have its own key and resign the distribution. The RPM documents are a little confusing but the way I read them, only one signature is supported per RPM file ie a new signer replaces previous signatures.] 5.4 Announcing and posting the distribution Preliminary and test releases are built in the same fashion as final distributions. Preliminary or “release candidate” distributions are announced on the mailing list igtf-general@gridpma.org, which forwards to members of the regional PMAs. Announcements contain a proposed revision number and a proposed release date. Typically two weeks are allowed for comments and corrections. New distributions appear [how often – not quite monthly; usually more often than quarterly] and occasionally on demand, when required. Distributions are posted to the main web site (see above) with rsync. 5.4.1 Pre-releases Pre-releases like so [This needs some work] rsync -e ssh -rav --delete ~/distribution-1.14/* \ webegp@dist.eugridpma.info:/project/srv/www/site/eugridpmadist/html/distribution/tests/PMA-PRIVATE-PREVIEW/1.14-MAY23-01/ and to be sure, also on the hidden repository on the dynamic public site: rsync -e ssh -rav --delete ~/distribution-1.14/* \ webegp@www.eugridpma.org:/project/srv/www/site/eugridpma/html/distribution/tests/PMAPRIVATE-PREVIEW/1.14-MAY23-01/ but then don't announce prereleases to the public) [what is the hidden repository?] 5.4.2 Released Distributions rsync -e ssh -rav --delete \ /tmp/dist/ \ myname@dist.pmaname.info:/var/www/html/distribution/igtf/1.0/ the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 page 11/13 Dated: 09 Mar 2016 Then the symlinks in the distribution tree are updated; the "XXXX-is-current" file is re-written, and the home page is adjusted. The announcement is sent out using the default template [which is?] 6 6.1 Distribution Business Relationships Relationship with IGTF, IGTF PMAs, and IGTF CAs The Distribution fulfills the final step in IGTF accreditation. Each CA works with a regional PMA to gain accreditation by that CA. This typically requires a review of the CA, and approval of the CA by the regional PMA. Grid security and technical requirements mandate that CA information be collected together and distributed to the very large number of relying party sites. The end result of accreditation by the regional PMAs is enrollment of the CA in the IGTF Distribution, which allows the CA’s customers to interact with other members and relying parties who trust IGTF CAs. 6.2 Relationship with TACAR self-signed CA repository TACAR (http://www.tacar.org/) is a repository of Certification Authority signing certificates used in the academic and NREN communities. Typically these are self-signed root CA certificates. TACAR does not validate policy, but does check ownership of a CA, and validates the identity of the person representing the CA. This provides a trusted path for validating the CA signing certificates presented for inclusion in the IGTF distribution. The TACAR process and the IGTF process for CAs are complementary: TACAR validates the ownership and affiliation of a CA, and the identity of a CA operator, but does not evaluate CA policy for any particular purpose; IGTF evaluates and accredits CA operations for use in the Grid, but does not strongly identify operators. The TACAR repository is meant for root certificates, and does not provide the CA information files and CA metadata needed by some applications; the IGTF repository provides a complete package for each CA, and dependencies (hierarchies) as needed. TACAR provides web browser downloads of CA trust anchors, the Distribution supports Grid applications and in particular those built on typical Grid software/middleware distributions. [express as bullets?] [The intention is to make IGTF and TACAR processes as congruent as is useful to both services to maximize benefits for the overlapping communities served by both organizations. It seems important to say this, altho perhaps could be seen as out of scope or inappropriate.] 6.3 Relationship with Grid software distributions [LCG is strongly connected to this service, partly for historical reasons. VDT isn’t. Not sure how to say this nicely.] [LCG: http://goc.grid.sinica.edu.tw/gocwiki/Procedure_for_new_CA_release3 6.4 Relationship with commercial and other non-Grid CAs Currently, the Distribution does not support commercial CAs, or bridge-mesh PKIs, or other nonGrid CAs. In a few cases, Grid CAs are nodes in a hierarchy of CAs from some organization. In those cases the top level CAs and appropriate signing policy files are crafted and placed in the distribution in order to meet technical requirements of security middleware in use in the Grid. 7 Distribution Operations [I think this is overtaken by previous sections] 3 David Groep, email message 16 Aug 2007 the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 page 12/13 Dated: 09 Mar 2016 7.1 Software and hardware 7.2 Personnel - local and external (regional PMA) 7.3 Security keys 8 Security [This section should describe various issues and risks we assume.] The PGP signing key is a single point of failure. Transition to a different key, or multiple keys, or distributed signing, are not addressed at this time. Signing is localized to a particular geographic location and institution. Committers may intrude in areas outside their responsibility in the CVS repository. It is possible for committers to damage files and hence the distribution thru incorrect update and modify actions. Controls on access to CVS Repository machine and controls on changes to CVS files (CVS is not a secure service). Controls on backups. The CVS repository is currently confined to a single location (which presents a single point of failure), but a distributed solution would create an opportunity for corruption. The relationship between CA certificates enrolled in TACAR and CA certificates enrolled in the Distribution is not completely defined yet. Different software vendors have different levels of integration with the Distribution. The need to use CAs not in the IGTF accredited list is widespread; even the Distribution makes some of these unaccredited CAs available. ssh keys require some form of strong, out of band identity proofing to be trustable, and have no inherent key management features (expiration, revocation &c). The number of keys in use in this service is very small. 9 References Bailey, Edward C. Maximum RPM. Red Hat, 2000. http://www.rpm.org/max-rpm/ Florio, Licia, ed. “Policy of the TERENA Academic CA Repository (TACAR)”. http://www.tacar.org/docs/TACAR-Policy-v1.4.3.pdf Jan 2007. Groep, David. “Using the IGTF CVS Service”. https://www.eugridpma.org/review/using-cvs Groep, David. “Required data https://www.eugridpma.org/review/registration for getting into the Distribution”. Groep, David. “The CA Distribution Process”. (Powerpoint) TAGPMA, July 2007. http://www.tagpma.org/files/cabuild-process-20070716.ppt Groep, David. “TACAR Updates”. (Powerpoint) TAGPMA, July 2007 and EUGridPMA, Jan 2007. http://www.tagpma.org/files/TACAR-abingdon-20070117.ppt OpenSSL man page. http://www.openssl.org/docs/apps/openssl.html OpenSSL x509 man page. http://www.openssl.org/docs/apps/x509.html the European Grid Authentication Policy Management Authority in e-Science – http://www.eugridpma.org/ IGTF Distribution Process version 1.0 Appendix A Examples A.1 Example CA metainfo and files [pick] A.2 Content list of distributions [don’t need? Have the net] page 13/13 Dated: 09 Mar 2016
