-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ Verify new PSC CA, April 2010 (mccreary) ] New CA cert tarball obtained on 23Apr2010 vi email from Derek Simmel . A good PGP signature for this tar file was sent in the same email message, using a PGP key I have signed myself. The signature was made with this key: pub 1024D/F2882606 2004-01-12 Key fingerprint = EC23 8D42 69B3 3EBB 9850 F972 8575 CF80 F288 2606 uid Derek Simmel sub 2048g/DB7D9741 2004-01-12 This key has been signed by my own key: pub 1024D/6851EF26 2006-05-03 [expire: 2011-05-02] Key fingerprint = F9E7 8D30 2833 70A8 611A 42C2 6231 1FE3 6851 EF26 uid Sean McCreary sub 2048g/BD594BA4 2006-05-03 [expire: 2011-05-02] Extracted the following files from the tar file: 9b88e95b.0 9b88e95b.crl_url 9b88e95b.psc-root.cadesc 9b88e95b.signing_policy acc06fda.0 acc06fda.crl_url acc06fda.psc-host.cadesc acc06fda.signing_policy 4b2783ac.0 4b2783ac.crl_url 4b2783ac.psc-myproxy.cadesc 4b2783ac.signing_policy 4b2783ac.info 4b2783ac.namespaces Note that the *.crl_url files refer to the DER-format revocation lists. We require PEM-format revocation lists, so I have included the alternate URLs for these files (i.e. I replaced http://foo/bar/XXXXXXXX.crl with http://foo/bar/XXXXXXXX.r0 in each file). 9b88e95b already exists in the tarball. I've verified that the CA cert is identical with the following differences in the signing_policy file: openssl x509 -subject -fingerprint -sha1 -noout -in 9b88e95b.0 subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Root CA SHA1 Fingerprint=76:14:59:94:16:2B:E2:05:C9:16:3F:85:8E:7C:70:EE:B9:DD:84:50 MD5 Fingerprint=A4:DC:F4:AB:62:B1:6B:8C:90:78:03:94:A6:8E:B9:5A $ diff 9b88e95b.signing_policy ../certificates-/9b88e95b.signing_policy 3c3 < cond_subjects globus '"/C=US/O=Pittsburgh Supercomputing Center/*"' - - --- > cond_subjects globus '"/C=US/O=Pittsburgh Supercomputing Center/CN=PSC Root CA" "/C=US/O=Pittsburgh Supercomputing Center/CN=PSC Hosts CA" "/C=US/O=Pittsburgh Supercomputing Center/CN=PSC Web Services CA"' acc06fda also already exists in the tarball. I've verified that the CA cert and signing_policy files are identical. openssl x509 -subject -fingerprint -sha1 -noout -in acc06fda.0 subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Hosts CA SHA1 Fingerprint=6C:CD:19:F1:36:B8:49:01:C4:E4:3B:0B:56:44:9D:58:4B:89:14:88 MD5 Fingerprint=C7:76:67:51:73:EE:F3:13:FA:12:DA:CB:95:CC:2E:C1 4b2783ac is a new addition to the tarball: openssl x509 -subject -fingerprint -sha1 -noout -in 4b2783ac.0 subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA SHA1 Fingerprint=F8:13:D4:7B:44:9C:4A:83:CF:E3:A5:59:37:5C:9F:F7:FA:0A:1D:66 MD5 Fingerprint=21:F7:B4:30:26:C7:49:5E:F3:56:61:D4:73:A3:32:A1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkvYfeQACgkQYjEf42hR7yaXOgCeM7u14ay4UI7Q5SJfnNCmsp4i K+UAn2Hr9KB3ZZ+2HtOVQN/wWGgAkuSL =BVSC -----END PGP SIGNATURE-----