-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Verify new PSC CA, April 2010 (mccreary) ]

New CA cert tarball obtained on 23Apr2010 vi email from
Derek Simmel <dsimmel@psc.edu>.  A good PGP signature for this tar file was
sent in the same email message, using a PGP key I have signed myself.  The
signature was made with this key:

pub   1024D/F2882606 2004-01-12
      Key fingerprint = EC23 8D42 69B3 3EBB 9850  F972 8575 CF80 F288 2606
uid                  Derek Simmel <dsimmel@psc.edu>
sub   2048g/DB7D9741 2004-01-12

This key has been signed by my own key:

pub   1024D/6851EF26 2006-05-03 [expire: 2011-05-02]
      Key fingerprint = F9E7 8D30 2833 70A8 611A  42C2 6231 1FE3 6851 EF26
uid                  Sean McCreary <mccreary@ucar.edu>
sub   2048g/BD594BA4 2006-05-03 [expire: 2011-05-02]

Extracted the following files from the tar file:
9b88e95b.0
9b88e95b.crl_url
9b88e95b.psc-root.cadesc
9b88e95b.signing_policy
acc06fda.0
acc06fda.crl_url
acc06fda.psc-host.cadesc
acc06fda.signing_policy
4b2783ac.0
4b2783ac.crl_url
4b2783ac.psc-myproxy.cadesc
4b2783ac.signing_policy
4b2783ac.info
4b2783ac.namespaces

Note that the *.crl_url files refer to the DER-format revocation lists.  We
require PEM-format revocation lists, so I have included the alternate URLs
for these files (i.e. I replaced http://foo/bar/XXXXXXXX.crl with 
http://foo/bar/XXXXXXXX.r0 in each file).

9b88e95b already exists in the tarball.  I've verified that the CA cert is
identical with the following differences in the signing_policy file:

openssl x509 -subject -fingerprint -sha1 -noout -in 9b88e95b.0
subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Root CA
SHA1 Fingerprint=76:14:59:94:16:2B:E2:05:C9:16:3F:85:8E:7C:70:EE:B9:DD:84:50
MD5 Fingerprint=A4:DC:F4:AB:62:B1:6B:8C:90:78:03:94:A6:8E:B9:5A

$ diff 9b88e95b.signing_policy ../certificates-/9b88e95b.signing_policy 
3c3
<  cond_subjects     globus       '"/C=US/O=Pittsburgh Supercomputing Center/*"'
- - ---
>  cond_subjects     globus       '"/C=US/O=Pittsburgh Supercomputing Center/CN=PSC Root CA" "/C=US/O=Pittsburgh Supercomputing Center/CN=PSC Hosts CA" "/C=US/O=Pittsburgh Supercomputing Center/CN=PSC Web Services CA"'

acc06fda also already exists in the tarball.  I've verified that the CA cert
and signing_policy files are identical.

openssl x509 -subject -fingerprint -sha1 -noout -in acc06fda.0 
subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC Hosts CA
SHA1 Fingerprint=6C:CD:19:F1:36:B8:49:01:C4:E4:3B:0B:56:44:9D:58:4B:89:14:88
MD5 Fingerprint=C7:76:67:51:73:EE:F3:13:FA:12:DA:CB:95:CC:2E:C1

4b2783ac is a new addition to the tarball:

openssl x509 -subject -fingerprint -sha1 -noout -in 4b2783ac.0 
subject= /C=US/O=Pittsburgh Supercomputing Center/CN=PSC MyProxy CA
SHA1 Fingerprint=F8:13:D4:7B:44:9C:4A:83:CF:E3:A5:59:37:5C:9F:F7:FA:0A:1D:66
MD5 Fingerprint=21:F7:B4:30:26:C7:49:5E:F3:56:61:D4:73:A3:32:A1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkvYfeQACgkQYjEf42hR7yaXOgCeM7u14ay4UI7Q5SJfnNCmsp4i
K+UAn2Hr9KB3ZZ+2HtOVQN/wWGgAkuSL
=BVSC
-----END PGP SIGNATURE-----
