Folks,
I bring you an update to the CP/CPS which is due to take effect on the
15th, to coincide with the planned CA upgrade.
Apologies for broadcasting this information, but it is important for
the *trust* (assured reliance) and the trustworthiness of the CA that
messages like these are communicated widely to the communities. You
wouldn't trust a CA that changed its policy or practices without
telling anyone.
Since you last saw it, the description of Personal Data has changed
slightly, because CCLRC's data protection officer has confirmed my
suspicions that photo id is Sensitive Personal Data. (She responded
very promptly, the delay in getting the amended version out is
entirely my fault).
The document markup does not indicate changed changes, but I can do so
upon request.
Clarified that host and service certificates must contain a "useful"
email address (under Subscriber obligations).
Other notes:
I have been reliably informed that there is no such thing as UK Law.
It stays in the document though till I figure out what is an
appropriate replacement. Other things like the FOI and a few other
acts and regulations (less urgent than DPA) planned for next update.
Thanks in particular to Judy Beck (DPA officer), John Kewley (DL),
Paul Millar (Glasgow), and David McBride (Imperial) for interesting
and/or useful comments.
The updated version is still available at the temporary URL
http://storage.esc.rl.ac.uk/cps-1.1-1.2.pdf
------
While I have your attention, can I warn you that there is a bug in
Mozilla NSS, triggered when it sees a different encoding of the CA
root on the server side from the one on the client side. The bug is
related to
https://bugzilla.mozilla.org/show_bug.cgi?id=219980
It's a bug because the certificates are arguably the same: they have
the same keys and names etc, it's just two different encodings (to be
precise, two different signature algorithms).
The (ugly) workaround is to uninstall the root and reinstall the
(other) root. Until the new root is deployed at all sites and is
installed in all browsers.
New root (PEM): http://ca.grid-support.ac.uk/cacert.pem
Old root (PEM): http://ca.grid-support.ac.uk/cacert-old.pem
New root (DER): http://ca.grid-support.ac.uk/cacert.der
Old root (DER): http://ca.grid-support.ac.uk/cacert-old.der
Everything that is based on OpenSSL, including Globus, works fine with
both encodings. The bug is specific to Mozilla's NSS (which is also
used in Firefox).
Thanks,
--jens
|