Dear OGF colleagues, You may or may not have noticed, but we have put in new high-grade commercial certificates from DigiCert to handle the https portions of access to the forge and www portions of the Open Grid Forum web presence. Using secure access allows us to protect your login credentials when you access the user account-protected portions of our collaborative tools. It also allows you to be sure you are fetching material from our site, and not an impostor, when you access our code repositories and other download features, helping to prevent the potential for OGF features to become an inadvertent vector for transmission of malware or infected code. The web site certificates should resolve and validate in all modern browsers. If you are curious, you can click on the certificate icon in the lower right-hand corner of any protected pages to see the steps used to verify us. This means that you can delete any previously saved self-signed certificates for OGF if you want to (although leaving them in should be harmless). We are working on documenting needed steps for allowing you to trust the new certificates in command-line and graphical code client tools for accessing the code repositories. These vary by client, and some have various settings for enabling automatic validation via the usual "trusted CA" stores. For now, until we have all of the details to share with you, there is an easy way to decide whether to add the site certificate for GridForge to your locally trusted list: simply visit https://forge.org.org in your browser and use your browser's inspection tools - typically accessed by clicking on the icon that indicates a trusted https site - to inspect the certificate and take note of its fingerprint. This should match the one being presented when you access the repository. An example for command-line subversion access is given at the end of this message. (It is possible to avoid this message by making certain settings in your ~/.subversion/servers file, but this illustrates nicely how to check a fingerprint.) We hope this helps to improve the security of your access to the OGF tools. As a reminder, we are looking for volunteers to work with those who have stepped forward so far to join an effort to improve the range and type of tools used to support the IT needs of the OGF community. If you are interested in helping, please send a message to Joel Replogle, myself or Andre Merzky, who is leading this effort. Thanks to DigiCert for providing the new EV certs, and we welcome them to the Silver sponsorship level for OGF. Alan Alan Sill, Ph.D Senior Scientist, High Performance Computing Center Adjunct Professor of Physics, TTU Vice President of Standards, Open Grid Forum ==================================================================== : Alan Sill, Texas Tech University Office: Drane 162, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-834-5940 fax 806-834-4358 : ==================================================================== Example with svn command line: $ svn checkout --username (your-user-name-here) https://forge.ogf.org/svn/repos/(your-work-group-here) Error validating server certificate for 'https://forge.ogf.org:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: forge.ogf.org - Valid: from Thu, 02 Feb 2012 06:00:00 GMT until Thu, 06 Feb 2014 18:00:00 GMT - Issuer: www.digicert.com, DigiCert Inc, US - Fingerprint: (It should put out a fingerprint here.) (R)eject, accept (t)emporarily or accept (p)ermanently? (Compare the fingerprint in the output to the one listed for SHA1 in the OGF GridForge certificate. If they match, it should be OK to accept the certificate in your client.)