*Attendees*
Jim Jokl (chair) - Virginia
Jeff Schiller - MIT
Nathan Faut - KPMG
Eric Norman - Wisconsin
Renee Frost - Michigan/Internet2
Lisa Haanpaa - Internet2
Neal McBurnett - Internet2
Ben Chinowsky (scribe) - Internet2
*Action Items*
(new)
[AI] Nathan will send Jim a short overview of the sessions he's planning to present at the PKI Implementers Workshop.
[AI] Jim will continue working to finalize the agenda for the PKI Implementers Workshop, coordinating with Jeff and other possible presenters.
[AI] Neal will look for more information on the logo-searching problem in Cardspace.
(from previous calls)
[AI] Eric will experiment with delivery and trust of root and intermediate certs via the web in Mozilla-family browsers.
[AI] Scott will send out a pointer to the draft TAGPMA CA audit requirements.
[AI] Jim will incorporate Scott's digsig-tools information into the HEPKI-TAG web site.
[AI] All will ask their contacts what material their schools would find most useful in a PKI implementers workshop.
[AI] David will follow up on SAFE's open-source signing work.
[AI] All will send URLs for CA software (open-source or not) to TAG.
[AI] Eric will let TAG know when Ron DiNapoli's work on Aladdin eTokens on Macintosh is available for the group to look at.
[AI] All will look at http://www.gridpma.org for materials for the CA Audit project to point to or extract from.
[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).
[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.
[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.
[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.
[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.
[AI] Jim will get an OID for PKI Lite from MACE.
[AI] Mark will ask Jed Dobson for more information on OSG.
[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.
[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.
[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.
[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.
[AI] All will send Jim further suggestions for TAG projects.
[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.
[AI] Jim will review the action items and send Ben a list of changes and deletions.
*Discussion*
The group reviewed plans for the December 4 PKI Implementers Workshop. Details, including a list of topics, are at http://events.internet2.edu/2006/fall-mm/sessionDetails.cfm?session=2981&event=258
[AI] Nathan will send Jim a short overview of the sessions he's planning to present at the PKI Implementers Workshop. [AI] Jim will continue working to finalize the agenda for the PKI Implementers Workshop, coordinating with Jeff and other possible presenters.
If Jeff is able to come to the workshop, he wants to present on the theme of "any time you try to do security against human nature, you lose." For example, if you make putting sensitive information on a laptop into a fireable offense, someone who does so anyway and then loses the laptop will deny that it contained any sensitive information, thus reducing the amount of information management has about the event. In his work at MIT, Jeff has been pushing the necessity of "passing all security situations through the human-nature filter." Neal noted Angela Sasse's discussion of similar themes at PKI06; see http://middleware.internet2.edu/pki06/proceedings/sasse-johnny_usability.ppt and http://middleware.internet2.edu/pki06/proceedings/workshop_summary.html
Eric noted that Cardspace prefers logo certs to regular server certs; in logo certs, the logo is the DN. Several problems with this approach were noted:
- Jeff noted that it doesn't do anything to prevent phishing attacks via misleading domain names (e.g. citibankissecure.com).
- Neal noted that logos are hard to search. [AI] Neal will look for more information on the logo-searching problem in Cardspace.
- Eric noted that -- as with domain names -- the problem with logos is that there aren't enough of them.