MACE Conference Call, March 10, 2003

*MACE Conference Call*
March 10, 2003

*Attendees*

Bob Morgan (chair) - Washington
Keith Hazelton - Wisconsin
Steve Worona - EDUCAUSE
Neal McBurnett - Internet2
Jim Jokl - Virginia
Steve Olshansky - Internet2
Brian Gilmore - Edinburgh
Ton Verschuren - SURFnet
Steven Carmody - Brown
David Wasley - UCOP
Ken Klingenstein - Colorado/Internet2
Mark Poepping - CMU
Scott Cantor - OSU
Renee Frost - Michigan/Internet2
Ben Chinowsky (scribe) - Internet2

*Discussion*

Ken opened the meeting by announcing that the continued-development and operational-trust-services NMI proposals have now been submitted. The group discussed some details of getting started on the authZ work in the continued-development proposal. Ken noted that the proposal includes two approaches to authZ, one building authZ into the apps and the other making it a separate service. [AI] Keith will send Bob notes from the last Stanford authZ call. [AI] Mark will send Ken a note about a potential authZ collaborator in California.

The group discussed upcoming meetings:
- [AI] Ken and Renee will send out reminder notes to individuals responsible for organizing sessions at the Internet2 Spring Member Meeting. MACE agreed to add a BoF on middleware diagnostics to the Member Meeting schedule. Ken stressed the importance of the MACE working dinner on Wednesday night; the group will discuss both the Stanford-centered authZ work and European work on longer-term approaches.
- Bob noted that he's attending the upcoming IETF and the attached OpenLDAP event.
- Bob is also going to the authZ-focused Amsterdam TERENA meeting, which starts on April 14.
- Twelve papers have been selected for the Second Annual PKI Research Workshop; this leaves room for an introductory session and two or three panels. Panel topics have yet to be finalized, but likely candidates include attribute certs, SAML and other transport options, and privacy.

Bob noted that Sun has released its version of XACML and is interested in working with MACE on OpenXACML. Others are also working on open implementations of XACML. Bob suggested that the PKI Research Workshop would be a good place to evangelize OpenXACML; Ken noted that Steve Olshansky is flywheeling the OpenXACML work. Bob said that having both Java and C++ implementations for OpenSAML had been a win, and suggested that OpenXACML do likewise; Scott said he'd like to see a Python implementation also.

Work is continuing on InCommon, the future of the CREN CA, and the relationship between the two. A front-end for InCommon is in the works; an announcement is planned for the Spring Member Meeting. Jeff Schiller has stated his willingness to continue issuing certs for the successor to the CREN CA. A Higher Education CP will be needed here; [AI] Jim Jokl will schedule a HEPKI-TAG discussion of the relationship between the PKI Lite CP and the HE CP. There is concern about the use of OIDs: Jeff is worried about older applications choking on them, and schools have liability concerns. Ken stressed that the HE CP will continue to take a "relying party beware" approach. Ken noted that the Feds have joined the Liberty Alliance and are giving thought to how to bridge SAML-based federations and traditional PKI. Ton noted that SURFnet has a new root CA and is working on getting its certs into the cert stores of R&E networks internationally.

Bob and Steven Carmody discussed OCLC's approach to authZ, which they are considering adapting for Shibboleth. OCLC's system centers on the "autho", or contract number; the autho used determines the set of databases that appear on the user's screen. The librarians are also working on how to represent the contracts themselves; [AI] Ken will look further into the OCLC contract-representation work at the April 28-29 CNI meeting.

Finally there was a short discussion of Yale's response to a recent email hoax (see http://www.yaledailynews.com/articlefunctions/Printerfriendly.asp?AID=22111 for details). Yale plans to set up a web site by which genuine messages from its officials can be verified. MACE agreed that this approach looks promising; while it wouldn't be hard to spoof the verifying web site, doing so would amount to the hoaxer leaving behind a "smoking gun".

*Action Items*

[AI] Keith will send Bob notes from the last Stanford authZ call.
[AI] Mark will send Ken a note about a potential authZ collaborator in California.
[AI] Ken and Renee will send out reminder notes to individuals responsible for organizing sessions at the Internet2 Spring Member Meeting.
[AI] Jim Jokl will schedule a HEPKI-TAG discussion of the relationship between the PKI Lite CP and the HE CP.
[AI] Ken will look further into the OCLC contract-representation work at the April 28-29 CNI meeting.