JISCMail - TB-SUPPORT Archives

Hi Jens,
    I missed the difference initially myself as well! I guess that we 
should remove /etc/grid-security/certificates/367b75c3.r0 manually? It 
isn't associated with any RPM after upgrading to 1.52.
Cheers,
John

On 29/01/2013 12:08, Jens Jensen wrote:
> Yes, of course - thanks, John!  The Root-2007 should still be there!!
>
> Not enough caffeine.
>
> -j
>
> On 29/01/2013 11:57, John Hill wrote:
>> We should read the file names more carefully - it's the Root files
>> which are left behind, not the CA Certificate itself.
>>
>> John
>>
>> On 29/01/2013 11:52, Jens Jensen wrote:
>>> Curious - what happens if you do (say)
>>>
>>> rpm -qf /etc/grid-security/certificates/UKeScienceCA-2007.pem
>>>
>>> ...?
>>>
>>> Cheers
>>> --jens
>>>
>>>
>>> On 29/01/2013 11:38, Alessandra Forti wrote:
>>>> Hi Jens,
>>>>
>>>> I've just upgraded and this is what's left behind in the
>>>> /etc/grid-security/certificates/ directory
>>>>
>>>> #> rpm -qa ca-policy-egi-core
>>>> ca-policy-egi-core-1.52-1.noarch
>>>>
>>>> #> ls /etc/grid-security/certificates/UKeScience*2007*
>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.crl_url
>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.pem
>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.info
>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.signing_policy
>>>> /etc/grid-security/certificates/UKeScienceRoot-2007.namespaces
>>>>
>>>> cheers
>>>> alessandra
>>>>
>>>>
>>>> On 29/01/2013 11:34, Jens Jensen wrote:
>>>>> Dropping old CA certifiate (no valid certs, valid CRL)
>>>>> These files should go when you upgrade to 1.52:
>>>>> /etc/grid-security/certificates/{UKeScienceCA-2007.*,367b75c3.*,53729190.*}
>>>>>
>>>>>
>>>>> It is most important to get rid of *.pem, *.0, and *.r0
>>>>>
>>>>> We can watch the CRLs for downloads, see which IP addresses they
>>>>> come from.
>>>>>
>>>>> The main (small) risk is that sites don't remove it (for some reason)
>>>>> and get hit by the silly test for "expired" at the end of March (at
>>>>> 23:59:59 UTC).
>>>>>
>>>>> There are associated changes in UKeScienceRoot-2007.namespaces and
>>>>> UKeScienceRoot-2007.signing_policy. In addition, we changed the CRL
>>>>> download point in UKeScienceRoot-2007.crl_url. There is a slight risk
>>>>> that a bug has slipped through here, despite checking, due to some
>>>>> undocumented or non-testable "feature" in the code that uses these
>>>>> files.
>>>>>
>>>>> That's it.  Any Qs or Cs?
>>>>>
>>>>> Cheers
>>>>> --jens
>>>>>
>>>>
>>>>
>>>> --
>>>> Facts aren't facts if they come from the wrong people. (Paul Krugman)
>>>
>>>
>>> --
>>> Scanned by iCritical.
>>>
>>>
>