igtf-policy-bundle for Debian ----------------------------- The IGTF trust anchors are by default installed in /etc/grid-security/certificates; this location is the common standard for many pieces of grid middleware. However, in Debian this location would make these files into conffiles which have a different status than normal files, and therefore they are installed under /usr/share/igtf-policy instead and symlinked to /etc/grid-security/certificates on configuration. Profiles ======== Each CA certificate falls in on of three 'profiles' to distinguish different policies under which these CAs operate. For more information see http://www.eugridpma.org/guidelines/. - Classic - MICS (Member Integrated Certificate Service) - SLCS (Short Lived Credential Service) - IOTA (identifier-only trust anchors) The packages are split according to these profiles, so it is very easy to install just the classic profile. Use as grid trust anchors ========================= By default, all of the certificates in the profile are installed in /etc/grid-security/certificates, but it is possible to reconfigure this with dpkg-reconfigure igf-policy-classic or setting values in a debconf selection file. The configuration offers two choices: 1. Install all certificates save explicit exceptions 2. Install only selected certificates The use of fetch-crl ==================== The use of fetch-crl is highly recommended. This tool will download the certificate revocation lists for each CA and store it in PEM format alongside the certificate files. However, the default configuration on Debian for fetch-crl (currently v3.0.11) is to ignore CAs which are only installed as symbolic links. Since the igtf-policy packages strictly use symbolic links, this setting needs to be changed in /etc/fetch-crl.conf: change 'nosymlinks' to 'symlinks'. Unaccredited and experimental CAs ================================= The packages igtf-policy-unaccredited contain only CAs that are not yet or no longer accredited. Their use is not recommended, please be very careful to review before trusting any CA in this set. The package igtf-policy-experimental contain CAs that may have use in a limited context, e.g. for testing purposes, but offer no guarantees in terms of reliability. Do not install this package unless you know what you are doing. -- Dennis van Dok , Tue, 28 Nov 2017 17:17:21 +0100