HEPKI-TAG - January 10, 2007

*HEPKI-TAG Conference Call*
January 10, 2007

*Attendees*
Jim Jokl (chair) - Virginia
Eric Norman - Wisconsin
Jeff Schiller - MIT
Scott Rea - Dartmouth
David Wasley - independent
Neal McBurnett - Internet2
Ben Chinowsky (scribe) - Internet2

*Action Items*(new)
[AI] Eric will look for more information on the logo-searching problem in CardSpace.
[AI] David will send out a URL for Michael Sessa's work on digitally-signed XML transcripts.

(from previous calls)
[AI] Eric will experiment with delivery and trust of root and intermediate certs via the web in Mozilla-family browsers.
[AI] Jim will incorporate Scott's digsig-tools information into the HEPKI-TAG web site.
[AI] David will follow up on SAFE's open-source signing work.
[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.
[AI] Jim will get an OID for PKI Lite from MACE.
[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.

*Discussion*

Much of the call was spent pruning the list of action items.
- With respect to the CA Audit project, Jim noted that authN standards for Grids are available at http://www.gridpma.org/ -- see the links under "Authentication Profiles" on the left-hand side of the page.
- Eric noted that Ron DiNapoli's work on Aladdin eTokens on Macintosh is available at http://www.opensc-project.org/
- David noted that Macs now fully support PKI; see http://www.educause.edu//ir/library/pdf/CSD4733.pdf and David's January 10 note to the HEPKI-TAG list.

David gave a short HEBCA update. A survey has revealed that there is "very lukewarm" interest on the campuses. Most are either using commercial PKI or not planning to use PKI at all anytime soon. For the time being, HEBCA will remain a test bridge, as it's cheap to do this; it's the staff needed to issue high-assurance certs that's expensive.

Jim noted that the USHER Policy Authority has signed off on the contract and CP. David Wasley, Scott Rea, and John Krienke are working on the CPS.

The group discussed OpenID (http://openid.net/). Jeff observed that SSH has been successful because there's no barrier to entry, and OpenID is a lot like that -- "if you make something that's grassroots-joinable, you have a lot better chance of gaining traction." Jeff argued that while there are some technical issues, these are fixable, but "as soon as you have to have a lawyer in the room, you're doomed to fail." Neal asked how OpenID is better than PGP; Jeff observed that PGP requires end-users to have technical understanding, but OpenID doesn't. Jeff gave the example of using OpenID to stop blog spam: the blog operator can screen OpenIDs and add those who are making reasonable comments to a whitelist; you can do that without having to manage identities. Jeff described this as "leap of faith" authorization -- if someone behaves reasonably once, you trust them thereafter. Another possible use case is the MIT admissions portal, where prospective students can create their own account and build a relationship with MIT before even applying. Jeff noted that MIT could use OpenID for this process, then require a stronger ID for when the individual actually applies and needs to exchange sensitive information. On the other hand, Eric noted an ongoing discussion about whether OpenID will make spoofing worse; see http://www.identityblog.com/?p=649, http://www.identityblog.com/?p=659, and http://www.links.org/?p=188.

Jeff also noted that Amazon's Elastic Compute Cloud service (now in beta; see http://aws.amazon.com) makes use of PKI to enable access to "as many virtual servers as you're willing to pay for", at ten cents per CPU hour. Jeff noted that in this implementation, knowing someone's Amazon password is still sufficient to take over their account.

There was also a discussion of possible panel topics at the 6th Annual PKI R&D Workshop (http://middleware.internet2.edu/pki07/). [AI] Scott will send Neal a proposal for a PKI07 panel on issues around the Australian federation. Neal (neal AT bcn.boulder.co DOT us) is still taking suggestions.