*MACE-Dir Conference Call* August 18, 2003 *Attendees* Tom Barton, U. Chicago Keith Hazelton, U. Wisconsin Shelley Henderson, USC David Banz, U. Alaska Michael Gettes, Duke Steve Lemmons, Duke Jeanette Fielden, Internet2 Steve Olshansky, Internet2 *Discussion* Division of labor between courseID and MACE-Dir: Scott has written a use case available at: http://usfs2.us.ohio-state.edu/MACE/draft-cantor-courseid-usecase-00.html. It's a simple scenario that talks about some of the requirements when hitting a course management system for the first time via Shib. The courseID focus is in terms of SHIREs and attribute authorities. Behind the attribute authority is probably a directory. The work of figuring out where those attributes live in the directory will likely be in the MACE-Dir group. Tom is considering submitting a use case to the courseID group on modeling LDAP storage. Keith talked about the PKI summit in Snowmass. He felt that Peter Gietz and David Chadwick's work on X.509 and directories was very well received. In an X.509 certificate there is a big binary blob. Wouldn't it be nice to take the stuff that makes up a certificate -- extensions, subject name and so on -- extract that into some text form and a schema and be able to search that stuff in directories? Then you could use it to find certificates, certificate paths, path validations or path construction. Once you find a candidate path, for path validation, then you go and get the real cert blob that is digitally signed and do a final pass on it to make sure it's cryptographically correct. Gietz and Chadwick have shown how to represent that in LDAP by parsing the cert and modifying the directory as a searchable repository for the information. A couple of references to review are: http://www.openldap.org/conf/odd-sfo-2003/david.pdf and http://sec.isi.salford.ac.uk/download/Detailed_Designv1-6.pdf. Tom asked if there was a standard approach to locating the LDAP directory service that would contain the stuff we're looking for. Michael provided two approaches. One is for a bridge model, the AIA extension, which is a pointer to the directory entry that contains the stuff associated with that certificate. That can be any directory. Within the bridge model it is all self defined. The other approach is it goes into your enterprise directory. It could be the Tom Barton attribute in the UChicago directory. Underneath the Tom Barton object could be a number of other objects that describe the certificates that belong to Tom Barton. If you're going up the chain and have to reference another certificate object then you've got to go find that object as well. The tools Chadwick is working on will be part of the next release of Open LDAP. Volunteers are needed to install it, and report back on their experiences. Shelley will check with a colleague at USC that may be able to experiment if he has the time. XML enabled directories. The document can be accessed at: http://www.ietf.org/internet-drafts/draft-legg-xed-roadmap-00.txt. Most people have not yet had a chance to review it. Michael mentioned that there is a company called Software AG that has created an XML database called Tamino. *Action Items* [AI] All: please review the XML enabled directories document for a future discussion. [AI] Keith will try to locate some of the references mentioned in the XML directories document. [AI] Keith will forward Chadwick's presentation from the Snowmass summit as soon as it becomes available.