Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

October 10, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Neal McBurnett
* Ed Feustel - Dartmouth
* Jeff Schiller - MIT/CREN
* Michelle Gildea - CREN
* Chris Misra - Massachusetts
* Bob Brentrup - Dartmouth
* Bill Doster - Michigan
* Steve Worona - EDUCAUSE
* Judith Boettcher - CREN
* Keith Hazelton - Wisconsin
* Renee Frost - Michigan/Internet2
* Ellen Vaughan - Internet2
* Bob Morgan - Washington
* Ben Chinowsky (scribe) - Internet2

Discussion

The meeting opened with Neal calling the group's attention to "scary stuff on patent policy" on www.w3.org. Neal is concerned that changes to W3C's patent policy open the door to greater vendor control of key pieces of the Web infrastructure.

The minutes were approved with one addition to the attendees list. The group reviewed recent action items:

* [26-September - Jim will write up the final version of the PKI Lite cert profile, including annotations based on TAG's discussions.] Written but not yet final -- see below.
* [26-September - Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.] In process.
* [26-September - Ed will send out the URL for the CREN framework document.] - Still to do.
* [26-September - Ed will dig into the new profile document to resolve his disagreement with Jeff about constraints on policies of subordinate CAs.] Done; Ed recommends that TAG read pages 181-188 of Housley and Polk and discuss further. There was a short discussion of the role of the CREN CA in PKI Lite -- is it more like the top of a trust hierarchy, or more like a bridge? Judith described the CREN framework as involving no tight linkage between the CREN policy and campus policies -- "almost a federation of campuses all having the CREN-signed cert" -- and Ed said that the CREN CA seems like a bridge minus the policy mapping.
* [26-September - Eric will put his demo cert issuer on the Internet2 demo machine.] [AI] Jim will make Eric an account on the Internet2 demo machine so that Eric can set up the cert issuer.
* [26-September - Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN- and institution-signed user certs to use on the demo site to practice following chains.] - Still to do.
* [26-September - Jeff will look into getting user certs from MIT for the demo site.] - Still to do.
* [26-September - Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.] Ongoing. Eric noted that the use of PKCS7 is desirable for this purpose, as it specifies the decryption capabilities of the sender, which an X.509 cert does not. Ken noted that he has a visit to Sun coming up; [AI] All will send Ken questions for Sun on using certs with S/MIME clients.
* [AI] Jim will check status of action items from August 29 and earlier via email.

Most of the call was devoted to discussion of PKI Lite documents. The group reviewed the PKI Lite cert profile, and approved it with the following small changes:

* Emphasize more strongly that dc naming is optional.
* Add a suggestion that a CA version number be included in the cn in the Issuer field.
* Specify that the 13 month maximum cert lifetime is a recommendation not a requirement, and that certs can also have very short lifetimes (hours rather than months).

The latest PKI Lite cert profile is at http://middleware.internet2.edu/hepki-tag/pki-lite/pkilite-profile-current.html

TAG reviewed the PKI Lite CP, and agreed to take Jeff's advice not to describe required cert-issuance practices in terms of inter-campus comparisons, in particular removing the sentence "The existing practice must be one that central computing staff from a peer institution would consider sufficient for routine applications..." Instead, the CP will specify that the campus will use the same identification procedures for cert issuance that it uses for other purposes -- an intra-campus standard. Ken expressed concern that taking out the comparative standard will limit the number of campuses that will participate in PKI Lite. [AI] Jim will revise the PKI Lite cert profile and cert policy. The latest PKI Lite cert policy is at http://middleware.internet2.edu/hepki-tag/pki-lite/pkilite-policy-current.doc

Jeff argued that if PKI Lite is going to require participating campuses to publish a CPS, then TAG must provide a CPS template ("we have to turn it into paint-by-numbers"); there was general agreement. Jim asked the group for thoughts on the issue of what an individual who's deciding whether or not to accept a PKI Lite cert will want to know. Jeff noted that in MIT's cert deployment "no one has ever asked me if they can see a CPS", and that MIT has five companies using its certs to do business with it. He argued that prospective relying parties "don't care about information, they care about liability", and that as the liabilities involved in the uses planned for PKI Lite are small, detailed CPSes are not necessary. [AI] Jeff will draft a CPS template for PKI Lite.

The meeting ended with a reiteration of the two fundamental principles underpinning PKI Lite. Jeff emphasized simplicity: "move to something better than username and password." Ed added the proviso that PKI Lite should not be made so simple as to block "an evolutionary path to something more interesting."
Action Items

* [AI] 10-October - Jim will make Eric an account on the Internet2 demo machine so that Eric can set up the cert issuer.
* [AI] 10-October - All will send Ken questions for Sun on using certs with S/MIME clients.
* [AI] 10-October - Jim will check status of action items from August 29 and earlier via email.
* [AI] 10-October - Jim will revise the PKI Lite cert profile and cert policy.
* [AI] 10-October - Jeff will draft a CPS template for PKI Lite.
* [AI] 26-September - Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.
* [AI] 26-September - Ed will send out the URL for the CREN framework document.
* [AI] 26-September - Eric will put his demo cert issuer on the Internet2 demo machine.
* [AI] 26-September - Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN- and institution-signed user certs to use on the demo site to practice following chains.
* [AI] 26-September - Jeff will look into getting user certs from MIT for the demo site.
* [AI] 26-September - Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.
* [AI] 29-August - Renee will look into what policies Internet2 is considering for software distributions.
* [AI] 29-August - All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.
* [AI] 1-August - Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
* [AI] 6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.
* [AI] 23-May - All will review Jeff's private-key-protection document and send comments to Jeff.