MACE conference call, July 3, 2000

*MACE conference call*
July 3, 2000

*Attendees*

Bob Morgan (chair)
Michael Gettes
Mark Poepping
Steve Carmody
Keith Hazelton
Paul Hill
Ken Klingenstein
Ben Chinowsky (scribe)

*Discussion*

The meeting opened with a discussion of issues raised by the recent meeting of the CREN pilot schools. Michael was at the meeting; he noted that they had agreed to use both o= and dc= naming in their certs, putting both in a single subject field. Computers will mostly use the dc= naming, humans will mostly use the o= naming -- putting both in a single field doesn't seem to break anything. Ken noted that this is different from the Europeans' plans; they want to do one or the other, and bridge with a gateway. There was a short discussion of various possible problems with the single-field solution.

This led to a long discussion of certificate-profiles issues. Keith noted that it looks like common schema is the "third road" between just-do-it-my-way vendor solutions and a free-for-all, and with this in mind suggested the development of a family of cert profiles. While it was agreed that junk certs and per-apps certs have their uses, there was also general agreement that a high degree of standardization would be very helpful in this area. Ken noted that the Feds claim to be moving to a single profile for all uses. Also, HEPKI-TAG is collecting profiles (posted to www.internet2.edu/middleware/certprofiles); they are going to examine these closely to find rationale for the differences, with the aim of boiling these cert profiles down to not one but a small number of standard profiles. In particular, Ken remarked, a profile with a pseudonym and URL has enough value that we should embrace it rather than remaining pure. Vendors seem to be moving toward promoting their own solutions, and away from putting much work into standardization efforts. Keith suggested that MACE take its proposed standards to the vendors, with a pitch along the lines of "talk to us or let natural selection do its work". There was general agreement that it would be good to ask the vendors some pointed questions; the Internet2 fall member meeting and the NAC were mentioned as possible forums. Net@EDU and fPKI are both moving in the direction of proposing ways to fit everything together; it is important to work with them on this. It was agreed that a central BP doc is needed in this area; this could incorporate the LDAP recipe. MACE acknowledged that the cert profiles work belongs to TAG and PAG.

Keith and Bob have spent some time working on a draft certs user's guide for NAC. This is a difficult project. [AI] Keith will send a draft of the certs user's guide to the MACE list.

Authorization seems to be growing in importance. There are several dozen related proposals awaiting consideration by the NSF. Authorization for mobile applications is gaining mindshare over authorization more generally. Most H.323 people consider neither authentication nor authorization to be part of their realm. Bob noted that the IRTF authorization group appears to think that authorization means talking to a Radius server; like others, they are giving central importance to wireless. This led to a more general discussion of the goals of MACE with respect to authorization. At Wisconsin, Keith Hazelton and Eric Norman are planning a project that includes work on an authorization language; [AI] Keith will pass authorization info from today's call on to Eric.

Ken reported on discussions he had recently while in Europe. DANTE is using a nameflow very similar to that used by the dir-of-dir project; dir-of-dir is attracting interest from Roland, Falkenberg and Geetz, as well as from IBM. The eduPerson work found lots of resonance among the Europeans -- they are particularly interested in the privacy aspect. With respect to policy servers, some of the Europeans object to OSCAR because it's not truly open source. There is interest in DTD tags for automatic processing. Overall the Europeans seemed very interested in I2-MI's work and will maintain close contact. Upcoming events in Europe include a CAs meeting in France, and TERENA next May in Turkey.

There was a discussion of Mine's proposed changes to the CREN root cert. PKIX part 1 is broken with respect to the key usage (or "criticality") flag. The Feds and CREN have also been discussing approaches to this problem. It was agreed that TAG is the right venue for this discussion, and that TAG should produce an authoritative answer to this question, bringing in additional participants as necessary to accomplish this. Michael noted that the CREN meeting had decided that TAG and PAG will act as advisory groups to the CREN CA. Generalizing, Ken noted that it appears HEPKI is gaining authority within CREN and EDUCAUSE -- "if we had a story to tell, everybody would listen".

Next was a review of progress toward eduPerson 0.9. It was suggested that feedback from registrars and other eduPerson stakeholders be postponed until after 0.9 is released, and there were no objections. The Internet2 Fall Member Meeting (October 30 - November 3) is the target for release of 1.0. Plans differed with respect to deploying 0.9; while most plan to wait for 1.0, Steven and Keith plan to use 0.9 on their campuses. There are concerns about the danger of people building applications on top of 0.9 and then having to change them later. There was a discussion of allowed values for the "affiliation" attribute; no "other" was included, so that people who are not described by one of the three available values (student, faculty, staff) will have a null in this field. Campuses are encouraged to extend this list of values as best fits their needs. [AI] Ken will draft a letter announcing eduPerson, along with an initial draft of a review schedule listing stakeholders, proposed interactions with them, and where to send comments. [AI] Keith will talk to Krystal about getting the eduPerson web site cleaned up and the LDAP recipe added. There was a short discussion of possible obstacles to internationalization of the eduPerson schema. It was suggested that the schema be put forward as a superclass, with parallel efforts in other countries encouraged to subclass from it. The US version could be one subclass among many others; the current attributes are not US-centric. [AI] Keith will put the issue of internationalization into the review schedule, and add Ken to the agenda for the eduPerson next-steps discussion.

Finally, Paul noted that there is a Microsoft security conference coming up on July 27th and 28th, but that they have only a few committed speakers so far.

In accordance with the regular schedule, the next MACE call will be Monday, July 17 at 8:30pm GMT = 4:30pm EDT = 1:30pm PDT. As Bob will be on vacation, Ken will chair.

*Action Items*

[AI] Keith will send a draft of the certs user's guide to the MACE list.
[AI] Keith will pass authorization info from today's call on to Eric.
[AI] Ken will draft a letter announcing eduPerson, along with an initial draft of a review schedule listing stakeholders, proposed interactions with them, and where to send comments.
[AI] Keith will talk to Krystal about getting the eduPerson web site cleaned up and the LDAP recipe added.
[AI] Keith will put the issue of internationalization into the review schedule, and add Ken to the agenda for the eduPerson next-steps discussion.