MACE Conference Call, September 9, 2002

*MACE Conference Call*
September 9, 2002

*Attendees*

Keith Hazelton (acting chair) - Wisconsin
Renee Frost - Michigan/Internet2
Neal McBurnett - Internet2
Scott Cantor - OSU
Jim Jokl - Virginia
David Wasley - UCOP
Steven Carmody - Brown
Mark Poepping - CMU
Ben Chinowsky (scribe) - Internet2

*Discussion*

Recent discussions on the Global Grid Forum Security Area mailing list (www-unix.gridforum.org/mail_archive/security-wg/maillist.html) have taken up issues arising from the GGF's planned approach to the use of certificates to meet the access-control needs of large Grid target sites such as Fermilab and SLAC. The GGF is interested in getting MACE's input on these issues; MACE discussed two of them.
- The GGF's proxy certs proposal involves non-CAs signing the proxy certs. Apparently this is raising objections among PKI standards bodies, but it was not clear to MACE exactly what the objections are or who is making them. [AI] Neal will ask PKI Labs participants about PKI standards bodies' objections to the GGF proxy certs proposal. [AI] Keith will ask Bob Morgan about PKI standards bodies' objections to the GGF proxy certs proposal. David suggested that what's needed here is not a way for an individual to act as a CA, but a way to standardize a signed document that delegates privileges. Keith noted that the GGF strongly prefers to use existing software with the fewest changes possible, and that it would like to see its proxy certs proposal accepted by the standards bodies, so it's important to them to resolve this issue.
- Some in the GGF would like authorizations to be revocable with only an hour's notice; the current authorization scheme does not provide for this. Ken suggested that MACE try to find out the reasons for the perceived need for one-hour revocation, and evaluate whether or not those reasons are valid.

Next MACE discussed problems the Shibboleth project is encountering due to the lack of freely available and universally trusted certificates. The Shibboleth architecture uses both client and server certs. For the Shibboleth client certs -- and for the pilot phase, for the server certs as well -- the CREN CA is a possible solution. However, broad deployment of Shibboleth will require universally-trusted server certs -- that is, server certs from CAs whose root certificates come pre-installed in common Web browsers. This means that either a universally-trusted CA must be developed under academic control, or the cooperation of commercial certificate vendors must be secured. The latter approach appears to be especially problematic. The cost of the certificates is an issue on some campuses; more fundamentally, it's not clear that the vendors can be persuaded to sell the kinds of certs that Shibboleth needs. In particular, it appears that as part of the fallout from the recent problems with Internet Explorer, VeriSign will soon prohibit the use of end-user certs as server certs, as Thawte does already. Scott stressed the need to convince certificate vendors that their model is broken in this respect. Ken noted that it looks like the CREN CA will be available for Shibboleth to use starting sometime in October.

Finally, Ken, who was calling in from the NSF Middleware Initiative and Digital Rights Management Workshop (www.ait.utk.edu/drmworkshop/), observed that the workshop organizers seemed to be succeeding in making their case to the many "power brokers" present. Two products are expected from the workshop: an architecture document for NMI Release 2 in October, and a submission to the OASIS digital rights language committee.

*Action Items*

[AI] Neal will ask PKI Labs participants about PKI standards bodies' objections to the GGF proxy certs proposal.
[AI] Keith will ask Bob Morgan about PKI standards bodies' objections to the GGF proxy certs proposal.