October 11, 2000
Attendees
* Jim Jokl (chair) - Virginia
* Neal McBurnett - Avaya
* Frank Grewe - Minnesota
* Keith Hazelton - Wisconsin
* Deb Crocker - Alabama
* Eric Norman - Wisconsin
* Ariel Glenn - Columbia
* Mark Poepping - CMU
* Ben Chinowsky (scribe)
- Internet2
* Other people joined and
left the call at various
times.
Discussion
After approval of the minutes, the group discussed the recent Ed/Fed meeting in DC. At this meeting it was decided that HEPKI should concentrate on producing a draft CP for a hypothetical HEBCA. The FBCA draft is solid. The Feds have a policy authority group that decides who can join; the bridge is "a conduit of trust", as vs. something that adds further trust. The Ed/Fed group asked itself, What are the minimum changes required to make the FBCA CP work for higher education? Guida was there editing as they talked, and took the result to an FBCA meeting shortly thereafter. Guida is interested in adopting hybrid (o=, dc=) naming but thinks it will be hard to convince others to go along with this. He also thinks it will be possible to accommodate pseudonymous certs, but he had strong reservations about allowing them to carry either Medium or High assurance, which is a concern because Medium (two photo IDs in person) is the most important assurance level. (The Federal assurance levels are Rudimentary, Basic, Medium, and High.) The bridge must operate at the highest assurance level that crosses it. [AI] Keith will send TAG Guida's version of the FBCA CP, along with the draft higher-education CP; TAG members will not circulate the Guida FBCA CP draft beyond TAG.
It is not known if the physical-security capabilities of higher education will be enough for Medium; it may be necessary to make do with Basic. Grant applications and sending patentable ideas out for anonymous review were given as examples of the need for pseudonymous Medium. Deb noted that libraries have to sign contracts saying they will only give access to certain people; this might help with Medium. Frank asked if mapping onto username-password pairs might provide a solution; Keith noted that this had come up in the Ed/Fed meeting, and that in order for this to work it would be necessary to document how sure you can be that only the right people have the pair. Neal noted that relying on holding credentials longer means running a greater risk that those credentials will fall into the wrong hands. Jim noted that most Internet2 schools can probably do Rudimentary and Basic already. Frank raised the question of how many students will really need Medium, and guessed around 10%; it was acknowledged that this is a key question.
There was a short discussion of mobility work. It was noted that the chair of IETF-SACRED is Steve Farrell, who is also the chief scientist at Baltimore and a participant in the Internet2 PKI Labs. Eric characterized the hardware-token demos at Wisconsin the previous Friday as "kind of a miserable failure". There was general agreement that TAG should collect hardware-token-related links and conduct an email poll to obtain opinions on hardware tokens, with a view toward establishing a consensus. [AI] All will send Jim names of people who should be included in a hardware-tokens email poll. [AI] Jim will follow up with Renee on smartcards work.
There was an update on the work of the certificate profiles committee. Everyone's certs appear to be a little different, but only a little. Jim described Ken's thought that based on the FBCA and HEBCA work, having similar profiles may be more important than was previously thought. Do people have the impression that if it becomes important to have a much smaller set of profiles, it would not be too hard to do that on the campuses? Neal noted that delegation is a big concern; "something that you would have to do" is a better approach than trying to make all cert formats identical.
With respect to open-source work, Ariel reported that she is watching the list; the work is coming along, but slowly.
There was a discussion of the future of the TAG web site. Neal stressed the importance of having a good collection of links; the site should provide a "sufficient set" of URLs for higher- education people getting started with PKI. Jim suggested that people doing PKI work, especially open-source work, could send a paragraph or so describing it, along with a more-information link, to be posted on the HEPKI web site. This would give beginners access to some real-world experience. There was general agreement that this would be useful; linking to the CREN pilot schools and having Wisconsin model this process on its site were suggested as early steps. [AI] Jim will talk to Judith about whether private-key-protection material is available from CREN. [AI] Over the next week or so, Jim (possibly asking for help from others) will draft a questionnaire asking HEPKI schools about their use of basic PKI stuff, like SSL and PGP. [AI] Schools that already have a description of their PKI work written up should send Jim a paragraph and links.
Finally the group discussed an issue raised by the Grid Forum's intention to enable individuals to issue certificates: do individuals need to be CAs in order to issue proxy certs? While Michigan already allows individuals to issue certs, these are one-day Kerberos-based certs, for authentication only. Jim noted thatit's setting a "can be a CA" bit that is the issue. [AI] Keith will ask Bill Doster to send the TAG the canonical source on whether individuals need to be CAs in order to issue proxy certs.
Action Items
* [AI] Keith will send
TAG Guida's version of the
FBCA CP, along with the
draft higher-education CP;
TAG members will not circulate
the Guida FBCA CP draft
beyond TAG.
* [AI] All will send Jim
names of people who should
be included in a hardware-tokens
email poll.
* [AI] Jim will follow up
with Renee on smartcards
work.
* [AI] Jim will talk to
Judith about whether private-key-protectionmaterial
is available from CREN.
* [AI] Over the next week
or so, Jim (possibly asking
for help from others) will
draft a questionnaire asking
HEPKI schools about their
use of basic PKI stuff,
like SSL and PGP.
* [AI] Schools that already
have a description of their
PKI work written up should
send Jim a paragraph and
links.
* [AI] Keith will ask Bill
Doster to send the TAG the
canonical source on whether
individuals need to be CAs
in order to issue proxy
certs.