MACE Conference Call, April 7, 2003

*MACE Conference Call*
April 7, 2003

*Attendees*

Bob Morgan (chair) - Washington
Michael Gettes - Duke
Keith Hazelton - Wisconsin
Jim Jokl - Virginia
Scott Cantor - OSU
Ken Klingenstein - Colorado/Internet2
Steve Worona - EDUCAUSE
Ton Verschuren - SURFnet
Ben Chinowsky (scribe) - Internet2

*Discussion*

Much of the call was devoted to a continuation of the discussion of PKI support for Shibboleth begun on the last HEPKI-TAG call. Bob reviewed the TAG discussion. Of central importance is the fact that as the name of the Shibboleth handle service is easily conveyable in an SSL server cert, everything else can take off from there trust-wise. This has worked well in the pilot deployment, but the issue of who is to issue that server cert has already come up. In a functioning InCommon federation, all an attacker needs is to get any one of the trust providers in the federation to issue them a cert. So the question arises, given current university cert-issuance practices, how hard would it be to get a cert with any given server name? And the answer is, not very hard. TAG discussed this in the context of Internet2 taking over the CREN CA, and decided that the target should only be obliged to accept the InCommon CA cert itself and any certs certified by it.

Bob thinks that this is the right conclusion, but it raises the problem of how to build a PKI for this purpose; for one thing, such a PKI should be able to do regular path verification and validation. There are things that could be done to the Shibboleth design to make it less susceptible to spoofing -- for example, registering the AA name. Ken suggested that the basic choice to be made is whether to make the cert issuance processes of InCommon federation members more rigorous, or to create a rigorous cert issuance procedure for the InCommon CA, and there was general agreement. The group discussed the possibility of adding levels of assurance to server certs by means of a policy OID that the Shibboleth software would interpret. It was agreed that this could accommodate a range of security needs; those who want a high LOA could get the sites they deal with to offer certs appropriately. However, experience with the pilot so far shows that most sites have a strong preference for using the certs they already have. Ken noted that InCommon doesn't want to create a monopoly, and has already set out rules for commercial CA participation. Ken also stressed the importance of making these choices in such a way as to ensure the rapid growth and viability of InCommon; the premature proliferation of federations is one of his main worries. There will be further discussion of these issues at the Internet2 Member Meeting later this week.

Ken noted that Internet2 has set up an eDial server to enable email-like addressing for SIP video and voice conferencing. IETF is interested in using Internet2's eDial system to save money on conference calls. The Internet2 eDial system will be demonstrated at the Member Meeting.

Keith noted that the MACE URN I-D has been approved by the IESG for publication as an Informational RFC. Once the RFC editors publish it, MACE will formally ask IANA to register the namespace ID URN:MACE. No difficulties are expected with these final steps, so a registry will be needed fairly soon. Ken noted that the Grid PMA has been set up and draft Open Grid Services Infrastructure specs have been released. Keith noted that there are issues to resolve around how to decide who can register a namespace under MACE; MACE-Dir will take up these issues.