MACE Conference Call, March 24, 2003

*MACE Conference Call*
March 24, 2003

*Attendees*

Bob Morgan (chair) - Washington
Ken Klingenstein - Colorado/Internet2
Steve Worona - EDUCAUSE
Steven Carmody - Brown
Jim Jokl - Virginia
Scott Cantor - OSU
Neal McBurnett - Internet2
David Wasley - UCOP
Ben Chinowsky (scribe) - Internet2

*Discussion*

The meeting opened with a review of developments at the San Francisco IETF and other recent meetings.

At IETF:
- Leadership changes: Russ Housley is replacing Jeff Schiller as security area codirector; Steven Bellovin remains as the other codirector. Patrik Fältström, formerly one of the apps area codirectors, has moved onto the IAB.
- PKIX discussed two approaches to searching for certs in LDAP directories: a "high-infrastructure" approach, called Component Matching, and a "low-infrastructure" approach called Attribute Extraction. The PKIX chairs are pushing for standardization on one or the other of these approaches, and seem to favor the former, as does Bob. David Chadwick provided a detailed overview of this issue in mail sent to the MACE-Dir list on March 22.
- There was much interest and activity around security at the network access level, and particularly around 802.11 access methods. Bob noted that the latest NMI proposals talk about doing work in this area, and suggested that MACE talk to Bob Moskowitz to get some ideas about how to proceed. Work in this area is being driven by commercial ISPs, but is nonetheless important to Internet2 institutions to the very considerable extent to which they function as service providers.
- Security and privacy more generally were also much discussed in San Francisco. The IM-over-SIP group is considering using S/MIME, despite a warning from the S/MIME chair against doing so; Bob noted that "it's still a question whether including it would take over the world or just be turned off by all the users." Matt Blaze and John Morris are working on a comprehensive review of privacy considerations and protocols, and are soliciting comments; see their slides at http://www.crypto.com/talks/ietf56-privacy.pdf.
- The Chandler group is making progress; they see universities as a likely focus for early deployments and are interested in getting more information from MACE about expected deployment patterns within the Internet2 community. Access control work is still in the early stages, and Chandler is still looking for a security lead. The calendaring standards picture is still murky, and there has been some discussion of creating a Chandler-specific protocol.

About 20 people turned out for the OpenLDAP developers' meeting immediately following IETF. Bob noted that "amazingly detailed work" has been done on analyzing OpenLDAP for performance improvements, with some results already evident in the current version. Bob's main interest in attending this meeting was in fixing OpenLDAP access control, which currently requires the server to be restarted in order for changes to take effect. Leif Johansson suggested that OpenLDAP resolve this by not using the directory to hold its own authZ information; he advocates instead creating an abstraction layer for authZ decisions. Proceedings are at http://www.openldap.org/conf/odd-sfo-2003/proceedings.html.

The Tokyo GGF meeting had about 700 attendees, primarily newcomers. IPR issues were much discussed; it's not clear what the open-source/RAND balance will be for technologies coming out of GGF. The next GGF is June 25-27 in Seattle.

Ken discussed current trust-provider issues. In Europe, PKI developers are making a new push to gather root CAs from various countries; there is growing interest in using a bridge CA to tie the various European PKIs together. The Swedes expect to see significant deployment in university administrations over the next year. Further discussion is needed of plans for European PKIs and InCommon, and how they might fit together; Ken will explore this with NPPAC later this week. Ken noted that Liberty's "circles of trust" approach looks more like authentication domains than federated security; Scott agreed, noting that Liberty sees identity providers as the linchpin of trust, with each provider creating its own circle of trust.

Finally, David Wasley observed that the TEACH Act's extension of fair-use rights for material used in distance education creates uses for Shibboleth, as when access to web video needs to be restricted only to students in a particular class. David also noted that the DRM community appears to be increasingly split between those who favor technological constraints on the use of content, on the one hand, and "Creative Commons types" on the other.