February 11, 2004
Attendees

* Jim Jokl, U. Virginia
* Eric Norman, U. Wisconsin
* Jeff Schiller, MIT
* Shelley Henderson, USC
* Bob Morgan, U. Washington
* Renee Frost, Internet2
* Neal McBurnett, Internet2
* Jeanette Fielden, Internet2

Discussion
Revised Profiles for PKI-Lite

The revised version of the PKI-Lite profile posted to the web site includes requiring basic constraints to be critical. A new section was added for the identifier for subject alt name in the identity certificate. Several different software vendors, Microsoft, Cisco ACS, and Funk handle it this way. It's not clear if all types of software would back off the same way to presuming there is a unique subject name. A sentence will be added to that effect. The updated root certificate is identical to the previous one except it requires basic constraints to be marked critical. The group accepted the changes.
InCommon end-entity profile

Eric pointed out and Jeff concurred that MIME type under authority information access is incorrect. Jim believed that it was tested and worked for Microsoft. He was not sure if it was required or simply the default.

Shelley e-mailed the list regarding questions from her sysadmins on PGP vs. S/MIME, which is preferable and why. In general it's not a one is better than the other, but which is better for a given situation. For a campus full of people S/MIME scales better, for a small group PGP works well. When deploying certificates on a campus it's usually done in the context of a variety of applications, of which S/MIME is just one application. There was general consensus that it would be useful to put together information about PGP vs. S/MIME, and PGP deployment for the HEPKI-TAG web site. Shelly indicated they have a PGP web at USC to send CSR's via e-mail. They are working on a web application to accept CSR's in an authenticated fashion with PGP.
Jeff has a PGP key signer based on Kerberos authentication.

Neal has received a request from the Jabber Software Foundation (JSF) for a signing certificate from USHER. The I2IM group is working with instant messaging and there is interest in using certificates to authenticate, especially for server-to-server authentication for the federation XMPP servers that would want to trust among themselves. This would be similar to the piloting of certs that is done with Shibboleth via InQueue. A Jabber pilot could use the same set of CA's that is used for InQueue. The general feeling was that it would be preferable to gain experience with a number of more typical cases with USHER first.

Steve Hanna is looking for help with respect to the OASIS PKI Technical Committee (PKI TC) Action Plan. It was agreed that people needed time to review the action plan before committing to take on work relating to it.

Bob Morgan attended a Mellon foundation retreat to discuss opportunities and overlaps between projects, including new applications that imply somewhat different models of security. Dartmouth has submitted a proposal to use PKI in some form of capitalization in Chandler and Lionshare.
Action Items

1. [AI] Jim: Will draft a paragraph outlining that for the http URL we expect it to be pointing at a PKCS7 that will operate with Windows.
2. [AI] All: Please send Jim signed messages so he can get the certs up on the PKIdev repository for downloading.
3. [AI] Jim will send e-mail to the list of what certs are available on PKIdev. Sorry the action item got omitted:
4. [AI] All: S/MIME: please send signed messages from different clients to the list so we can fill out the table on the S/MIME client data. Barry will arrange for a new Apple client signed message sent to be sent to the list. Eric will send an S/MIME signed message from Pine to the list.
5. [AI] Bob will forward the link to Chandler and the Dartmouth PKI proposal sent to Chandler.
6. [AI] Neal: Will contact Peter St. Andre about participating in the next HEPKI-TAG call.
7. [AI] Jeff will send the PGP key signer to Shelly for review.
8. Shelly indicated that they have some USC specific documentation on PGP deployment at www.usc.edu/authx.
9. [AI] Shelly will oversee the development of a PGP deployment guide for the HEPKI-TAG site
10. [AI] Neal will invite Steve Hanna to the next HEPKI call.