MACE conference call, July 17, 2000

*MACE conference call*
July 17, 2000

*Attendees*

Ken Klingenstein (acting chair)
Renee Frost
Paul Hill
Neal McBurnett
Steve Carmody
Ben Chinowsky (scribe)

*Discussion*

The meeting opened with two announcements about certificate policies. Russ Vaught has agreed to head the certs policy coordination effort, and Steve has found a faculty member (Garrison) at Brown who's agreed to see if he can translate the Dutch CP docs.

Ken noted that the eduPerson cover letter is done and that eduPerson v0.9 and the associated FAQ are almost done. He has found great interest in this project everywhere he has discussed it. It is not yet clear what the review process will look like -- will we have to drag comments out of people, or will we be deluged? Keith noted that it is important to be careful about the questions we ask the stakeholders -- for example, we don't want discussion of persistence and eternality of the EPPN, but we do want input on expansion of controlled attribute values. EduPerson may be given a more exact name like "eduSchema" -- "eduPerson" suggests an objectclass, but the objectclass is only part of what is being developed. EduPerson would then become one of several possible objectclasses, such as eduSecurity, making use of eduSchema.

Ken noted a conversation he'd had with Brian Carpenter about the directory-of-directories project; IBM is willing to commit their SecureWay directory service and an SP2. Ken has decided to stay with Sun/Netscape for now, and is writing a two-pager asking for more support from Sun so that the project can be expanded to see what then breaks. The dir-of-dir group has been working with Roland Hedburg and the eduPerson group. Like eduPerson, dir-of-dir has proven to be a consistent enthusiasm generator.

The Shibboleth project has now received ten surveys. It was suggested that it is important we go into the meetings with IBM with clear ideas about the kind of solution we are looking for, so as to avoid IBM offering a just-buy-our-stuff solution.

Ken noted that a group in NSF has been holding weekly H.323 calls with 8-10 participants. Keith has found a contact who can answer Ken's H.323 questions. For example, what will IDs look like? How is authn/authz envisioned? [AI] Ken will email his H.323 questions to Keith's contact. [AI] Ken will email MACE suggesting August 21 for the first MACE H.323 call. [AI] Renee will check with Bob Riddle on Polycom availability for an August H.323 call.

With respect to authorization, Ken noted that Cliff Neuman is very interested in finding a testbed for GAAAPI (Generic Authorization and Access Control Application Programming Interface). Ken has suggested he use H.323, as the H.323 people are specifically seeking to avoid doing authentication and authorization themselves. Some of the GAAAPI stuff has been packaged with the Grid security stuff, and the Grid people are very interested in I2-MI's work. The ISI implementation of GAAAPI is apparently the only one so far. As yet there is no real-time interface between roles databases and GAAAPI, but as GAAAPI matures it may be worthwhile to build such an interface. Bob Blakely is pursuing a different API-oriented approach; MIT is doing directory-and-registry-oriented authorization work; a faculty member at George Mason is publishing lots of stuff on role-based access control. Jonathan Smith is proposing Keynote-oriented work on authorization. Neal requested information on getting Kerberos to work with Win2000; [AI] Ken will send Neal some items relevant to Kerberos/Win2000 interoperability. Paul is working on getting permission from Microsoft to post some of their white papers that bear on this.

Five or six universities are now working to expand their information infrastructures to encompass their medical schools, and they want help. It is not clear whether MACE-Med will consist more of main-campus IT people or more of medical-campus IT people. The CORBA people are getting interested in seeing how their stuff maps on to core middleware. [AI] Ken will send Michael's CORBA/I2-MI mapping slides (from the SURA meeting) to Keith. Renee noted that Jack Buchanan's medical-middleware document will be available soon.

Next was a review of recent and upcoming meetings. Jeff Schiller will be on the Wednesday HEPKI-TAG call to give his views on topics discussed at the recent CREN board meeting. The board has decided not (for now, anyway) to add dc= naming to the CREN root. Jeff has suggested that CREN start to offer server-side certs; the board was enthusiastic but this is not yet a done deal. In Federal PKI work, Rich Guida is going to Microsoft to see if he can change their approach to accepting trusted roots from the public sector. The JA-SIG meeting had 150 people representing 70 universities; they discussed authorization among other issues. Steve noted that the JA-SIG software appears to be configurable to work well with existing Web ACLs (Andy has done work with this), and looks to be Shibboleth-compatible. Heather Boyles is going to INET 2000 in Yokohama, and will see if there is interest in having I2-MI sessions at the January Joint Techs meeting, which is consponsored by APAN.

Finally there was a discussion of the recently formed EDUCAUSE system-security task force. This group's focus is on network host security bug fixes -- is MACE involvement required? Ken suggested taking a policy angle; for example, is it legal to probe privately-owned machines on campus? Steve noted the importance of identifying what vulnerabilities (such as physical access to machines) are most important, of users taking a more active role in ensuring security, and of balancing privacy and security; [AI] Ken will add Steve's suggestions to MACE's list of security concerns.

The next regularly scheduled MACE call will be on Monday, July 31, at 8:30pm GMT = 4:30pm EDT = 1:30pm PDT.

*Action Items*

[AI] Ken will email his H.323 questions to Keith's contact.
[AI] Ken will email MACE suggesting August 21 for the first MACE H.323 call.
[AI] Renee will check with Bob Riddle on Polycom availability for an August H.323 call.
[AI] Ken will send Neal some items relevant to Kerberos/Win2000 interoperability.
[AI] Ken will send Michael's CORBA/I2-MI mapping slides (from the SURA meeting) to Keith.
[AI] Ken will add Steve's suggestions to MACE's list of security concerns.