We have updated Section 3.1 (Naming) of the CILogon OpenID CA Certificate Policy and Practice Statement (CP/CPS). Now certificate subjects include the subject's name, as provided by the OpenID Provider, rather than the OpenID Identifier URL. Also, the CILogon OpenID CA will now include email addresses in certificate subject alternative names.

Today's announcement of the IGTF 1.38 distribution marks the final step in the accreditation of the CILogon Silver CA by the International Grid Trust Federation (IGTF). This follows the approval in October of the CILogon Silver CA Policy by The Americas Grid Policy Management Authority (TAGPMA). The CILogon Silver CA relies on campus authentication that satisfies the InCommon Silver Identity Assurance Profile, so it will not be fully operational until the first InCommon campuses are accredited at the Silver level under the InCommon Identity Assurance program. To serve researchers from campuses that are not (yet) at the InCommon Silver level, CILogon also operates Basic and OpenID CAs at https://cilogon.org.

We are changing the hash algorithm (i.e., message digest algorithm) that the CILogon CAs use when signing certificates from SHA-1 to SHA-256, per NIST recommendations. The Open Science Grid provides hash algorithm compatibility information. If this change causes any problems for your applications, please contact help@cilogon.org.

New versions of the CILogon Silver, Basic, and OpenID CA Certificate Policy and Certification Practice Statement (CP/CPS) documents are now available. The new policies allow for CA generation of subscriber private keys in cases where it eases the subscriber enrollment process. We believe this update will enable significant improvements to the usability and compatibility of the CILogon Service (https://cilogon.org). This policy change has been discussed in TAGPMA and EUGridPMA. For more details, see our TAGPMA wiki page on the topic.

The Americas Grid Policy Management Authority (TAGPMA) today voted to accredit the CILogon Silver CA Policy under the Member Integrated Credential Services (MICS) Profile, allowing the CA to issue certificates valid for up to 13 months. This accreditation is a step forward for certificates from https://cilogon.org being accepted by members of the International Grid Trust Federation (IGTF) including TeraGrid, Open Science Grid (OSG), European Grid Infrastructure (EGI), and Worldwide LHC Computing Grid (WLCG). Following an operational review by TAGPMA, the CILogon Silver CA will achieve "accredited" status in the IGTF Trust Anchor Distribution. The CILogon Silver CA relies on campus authentication that satisfies the InCommon Silver Identity Assurance Profile, so it will not be fully operational until the first InCommon campuses are accredited at the Silver level under the InCommon Identity Assurance program. To serve researchers from campuses that are not (yet) at the InCommon Silver level, CILogon also operates Basic and OpenID CAs at https://cilogon.org.

The International Grid Trust Federation CA distribution version 1.37, released today, includes the self-signed CILogon Silver, Basic, and OpenID CA certificates (and associated configuration files) in the "experimental" area. This provides to relying parties a trusted distribution path for the CILogon CA's self-signed certificates, which are also available directly from the CILogon CA web site (http://ca.cilogon.org/). Note that this does not imply that the CILogon CAs have been accredited by IGTF. Only CAs included in the "accredited" area of the distribution have completed the IGTF accreditation process, not those in the "experimental" area where the CILogon CA certificates can currently be found. The CILogon Silver CA is under review by the TAGPMA for IGTF accreditation. The next opportunity for a TAGPMA accreditation vote for the CILogon Silver CA is the upcoming TAGPMA Face-to-Face Meeting October 4-7 in Lubbock, Texas.

The CILogon CA operators have completed installation of the CA servers in the CITES data center. The CILogon Service at https://cilogon.org has returned to operation.

The CILogon CA servers are now moving from our development machine room at NCSA to the production CITES machine room, as another step toward production operation. System outages should be expected today (Thursday, July 22) and tomorrow (Friday, July 23) during the move.

On Friday, June 4 2010, CILogon Policy Management Authority members and operations staff met to generate CA private keys according to policy. This is an important milestone towards production operation. The CA private keys are stored in SafeNet Luna SA hardware security modules (HSMs) certified at FIPS 140-2 Level 3.

The Certification Authorities for the CILogon Service are under construction. The CA web site is live at http://ca.cilogon.org/. We have drafted the initial policy (CP/CPS) documents. The Silver Policy is under review by TAGPMA. To keep up-to-date with CILogon CA news, subscribe to the news feed at http://feeds.feedburner.com/cilogon-ca. We will post status updates on CA construction to this news feed. Once the CAs are operational, we will use this news feed for posting operational information (such as announcements of service outages and policy updates). If you have any comments, please contact us.