Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

August 1, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Jeff Schiller - MIT/CREN
* Michael Gettes - Georgetown
* Ed Feustel - Dartmouth
* Steve Worona - EDUCAUSE
* Chris Misra - Massachusetts
* Ellen Vaughan - Internet2
* Eric Norman - Wisconsin
* Keith Hazelton - Wisconsin
* Bill Doster - Michigan
* Judith Boettcher - CREN
* Michelle Gildea - CREN
* Ken Klingenstein - Colorado/Internet2
* Ben Chinowsky (scribe) - Internet2

Discussion

The minutes of the previous call were approved without changes. Most of the discussion was devoted to a review of progress on action items.

[18-July - Jim will email Ed about the status of his compilation of info on campus PKI work.]

[20-June - All will send Ed a brief description of their campus PKI work, along with the name, email, and phone number of a contact person for that work; Ed will compile a contact list and send it to TAG.] Ed now has contacts at ten campuses; he's still hoping for more.

[18-July - Jim and Eric will do further PKI Lite mail client interoperability testing.]

Ongoing. Jim noted that the mail clients they've tested all include a copy of every cert in the trust chain, except for the root cert, in signed messages; the exception is Outlook Express, which includes the root cert as well. [AI] Ken will contact Todd Needham at Microsoft to a) find out what information Microsoft email clients verify in the root cert and under what conditions they display a warning, and b) try to get a commitment from Microsoft to meet with CSG attendees on September 11. [AI] Ed will contact Netscape to find out what information its email clients verify in the root cert and under what conditions they display a warning. TAG expressed great interest in discussing its S/MIME needs with Microsoft and Netscape; Ed noted that Mozilla is just getting started with S/MIME.

[20-June - Judith will update the information on the CREN pilot schools on the CREN web site.] - Ongoing.

[20-June - Judith and Ed will work on an example of how things should be divided up between a campus's CP and its CPS.] - Ongoing.

[20-June - Eric will create a demo web site that issues end-entity certs and lets the user test the certs by using them to authenticate to a web page.] Done; there was high praise for Eric's work. Eric suggested that providing something like his demo site to a wider audience might be a good way to provoke questions and get PKI Lite rolling; Ed noted that this could also produce pointed questions for the browser makers. Jim noted that Internet2 has provided a server to use to make Eric's demo available to a wider audience, and Ken emphasized that Internet2 is anxious to find further means of pushing forward the deployment of PKI Lite.

[20-June - All will provide Jim feedback on the prototype TAG web site (http://middleware.internet2.edu/hepki-tag/).]

[6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.]

Jim encouraged the group to keep its comments and content coming. Ed noted that at some point it will be necessary to make sure that people who provide web addresses for their PKI work don't object to having that work more widely publicized; Eric suggested that TAG produce a disclaimer for providers of such information to sign.

[6-June - Ed will send Jim mail about resolving the Outlook no-signing-without-encryption issue.]

Ed and Jim plan to get further information on this issue from Todd Needham, hopefully at the projected September 11 meeting in Seattle.

[23-May - All will review Jeff's private-key-protection document and send comments to Jeff.]

Jeff has not received any new comments.

[18-July - TAG will continue discussion of the problem of how to ensure unique subject names, and will revisit this question in the light of its experiments with S/MIME over the next two weeks.]

TAG agreed to require that PKI Lite certs include the cert holder's email address in both the subject and subjectAltName fields. The question of how to handle multiple email addresses for one person was left unresolved.

[18-July - All will bone up on policy OIDs in preparation for a decision on this issue on the next call.]

After reviewing the options remaining from the discussion on the last call, TAG agreed that a) no fields will be marked critical, and b) the policy OID will be optional. Ken argued that in general PKI Lite should have all the components specified in RFC 2527, but in lighter-weight versions; jettisoning them entirely risks promoting dead-end ways of doing things. [AI] Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID. Judith argued that when, as with the policy OID, inclusion of a feature is optional, TAG should specify best practices to guide deployment. [AI] TAG will continue discussion of what kind of best practices it should provide for PKI Lite deployment.

Ken noted that, by means of extremely tight procedures for user identification and key generation and transport, the Federal PKI has now achieved what he called "technical nonrepudiation", but that, in the face of the intractable "what if they get up to use the restroom" problem, the Feds have given up on legal nonrepudiation.

TAG briefly discussed, but made no decision on, whether to require or recommend a particular signature algorithm. DSA is cheap, but not many places will accept it in a client cert. Jeff argued that while people should use RSA, and while RSA-SHA1 is somewhat better than RSA-MD5, TAG should take the approach of documenting the advantages and disadvantages of the various algorithms, rather than issuing a requirement.

Finally, TAG discussed whether to recommend dc naming in PKI Lite. Jim is in the middle of trying to resolve a problem at Virginia in which it appears that dc naming is breaking VPNs; if confirmed, this would be the first time in TAG's experience that dc naming has broken anything. [AI] TAG will continue its discussion of dc naming in PKI Lite.

Action Items

* [AI] 1-August - Ken will contact Todd Needham at Microsoft to a) find out what information Microsoft email clients verify in the root cert and under what conditions they display a warning, and b) try to get a commitment from Microsoft to meet with CSG attendees on September 11.
* [AI] 1-August - Ed will contact Netscape to find out what information its email clients verify in the root cert and under what conditions they display a warning.
* [AI] 1-August - Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
* [AI] 1-August - TAG will continue discussion of what kind of best practices it should provide for PKI Lite deployment.
* [AI] 1-August - TAG will continue its discussion of dc naming in PKI Lite.
* [AI] 20-June - All will send Ed a brief description of their campus PKI work, along with the name, email, and phone number of a contact person for that work; Ed will compile a contact list and send it to TAG.
* [AI] 20-June - All will provide Jim feedback on the prototype TAG web site (http://middleware.internet2.edu/hepki-tag/).
* [AI] 6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.
* [AI] 23-May - All will review Jeff's private-key-protection document and send comments to Jeff.