HEPKI-TAG Conference Cal - January 11, 2006

*HEPKI-TAG Conference Call*
January 11, 2006

*Action Items*

(new)

[AI] Jim will notify Steve if the USHER launch date will be later than early February.

[AI] Neal will send out some recent links on the deceptive-URL issue.

(from previous calls)

[AI] Jim will ask Nathan to evaluate WebTrust Compliance Review.

[AI] All will look at http://www.gridpma.org for materials for the CA Audit project to point to or extract from.

[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).

[AI] Neal will look into European approaches to credential assessment.

[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.

[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.

[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.

[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.

[AI] Eric will call Mozilla's attention to the fact that they don't support the standards needed to recognize trust anchors on tokens, and nudge them to do something about it.

[AI] Eric will continue seeking feedback on his Top 10 lists, especially from HCISec.

[AI] Jim will get an OID for PKI Lite from MACE. [AI] Mark will ask Jed Dobson for more information on OSG.

[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.

[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.

[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.

[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.

[AI] All will send Jim further suggestions for TAG projects.

[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.

*Attendees*

Jim Jokl (chair) - Virginia
Neal McBurnett - Internet2
Jeff Schiller - MIT
Eric Norman - Wisconsin
Shelley Henderson - USC
John Krienke - Internet2
David Wasley - independent
Steve Carmody - Brown
Ben Chinowsky (scribe) - Internet2

*Discussion*

USHER is now aiming to launch in late January. [AI] Jim will notify Steve if the USHER launch date will be later than early February.

Shelley has found someone at USC with audit experience to help with the campus CA audit project. Eric suggested testing the ID proofing processes by sending people to try to get certs without following the rules; the group agreed that this would need to be done in a later stage of the project if at all. Jeff noted two issues: - How does the person who's trying to get a certificate know who the verifying person at the institution really is? E.g., after Jeff calls them for their PGP fingerprint, how do they know that MIT didn't fire Jeff yesterday? - High-assurance CAs need to make judgment calls when people try to register deceptive addresses like ao1.com or micros0ft.com. In today's Internet the default test is "can you read email sent to this address", which is a fairly mechanical procedure. [AI] Neal will send out some recent links on the deceptive-URL issue.

Jim noted he's still interested in finding an uncomplicated CA that TAG could package for campus use. In particular, he's interested in hearing from anyone who has experience with the VPN Consortium's SimpleCA (http://www.vpnc.org/SimpleCA/).