Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

February 13, 2002
Attendees

* Jim Jokl (chair) - Virginia
* Neal McBurnett - Internet2
* Chris Misra - Massachusetts
* Bob Morgan - Washington
* Bill Doster - Michigan
* David Wasley - UCOP
* Bob Brentrup - Dartmouth
* Michael Gettes - Georgetown
* Judith Boettcher - CREN
* Michelle Gildea - CREN
* Renee Frost - Michigan/Internet2
* Jeff Schiller - MIT/CREN
* Ken Klingenstein - Colorado/Internet2
* Eric Norman - Wisconsin
* Deb Crocker - Alabama
* Ben Chinowsky (scribe) - Internet2

Discussion

No minutes were taken on the January 30 call; most of that call was devoted to reviewing and editing PKI Lite S/MIME documents. The group reviewed action items:

* [30-January - Jim will update the S/MIME Project requirements outline with the changes discussed on the call. http://middleware.internet2.edu/hepki-tag/pki-lite/pkilite-smime.html [Old versions: http://middleware.internet2.edu/hepki-tag/pki-lite/] - Done.
* [30-January - Updates to the planned S/MIME clients table http://middleware.internet2.edu/hepki-tag/pki-lite/ pkilite-smime-clients.html a) Jim to ask Ed if he will work on Netscape Messenger column b) Jim to ask Neal about Mozilla c) Michelle will look at Outlook 2000 d) Eric will look at Eudora with the Tumbleweed plugin] In process; see below.
* [30-January - Jim to send out merged policy/practices document for review] - Still to do.
* [30-January - Does anyone have a pointer to who, if anyone, is presently selling the Eudora Tumbleweed plugin?] Jim suspects this may be dead code; [AI] Judith will check with Michelle on the status of the Tumbleweed plugin.
* [30-January - Jim will draft a strawman PKI-lite root certificate profile for discussion on the next call.http://middleware.internet2.edu/hepki-tag/pki-lite/pkilite-root-profile.html ] - Done. Jim noted that this is for a campus CA; it doesn't match the CREN root cert profile because the CREN root is self-signed.
* [30-January - Follow-up discussion topics for next call a) Merged policy / practices statement review discussion http://middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices-current.html b) Critical flags in the PKI-lite profiles]See below.
* [16-January - Jim will find out what cert store the VanDyke and SSH.com clients use.] VanDyke uses the Microsoft CryptoAPI cert store; Jim hasn't found out about SSH.com yet. [AI] Jim will find out what cert store the SSH.com client uses. Jim noted that on the Jan. 16 call TAG had agreed to draft a letter to SSH.com. [AI] Jim and Deb will draft a letter to SSH.com, to be signed by as many representatives of higher education as possible, asking that the support for cert-based authentication now present in their commercial version be added to both the server and the client in their free version. Bob Morgan noted that a spec for using X.509 for client authentication is now in last call in IETF.

Ken asked the group for its thoughts on the idea of including Shibboleth account management practices in the PKI Lite CP/CPS (http://middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices-current.htm ). Bill Doster noted that recent experience with the KCA at Michigan suggests it would be better to keep these documents separate; he drew a parallel between the KCA and Shibboleth as "subordinate uses" of a larger infrastructure, and suggested including a reference to the CP/CPS in the Shibboleth document rather than combining the two. Bob Morgan agreed with this "call by reference" approach, but stressed that that TAG should "make generic what we can". The group agreed to keep the documents separate for now. TAG agreed to ask the following individuals and groups to review the CP/CPS: Jeff Schiller; Carrie at Wisconsin; MACE; the FPKI TWG; a list of groups to be provided by Judith; contacts at the PKI Lite S/MIME pilot schools; HEPKI-PAG; and other groups to be contacted by PAG, in particular NACUA.

After agreeing to create separate end-entity and CA versions of the PKI Lite cert profile, the group discussed changes required for the CA version. Jim has incorporated these changes into the document; see http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-2.html.

[AI] Eric will send out a URL for documentation of iPlanet's and Microsoft's recommendations about certificate extensions and criticality.

Jim called the group's attention to the newly-updated PKI Lite S/MIME requirements document at http://middleware.internet2.edu/hepki-tag/pki-lite/pkilite-smime.html.
[AI] All will review the updated PKI Lite S/MIME requirements document and send comments to the list. Jim expressed concern that the Phase 2 requirement for a campus CA could reduce participation, and Michelle noted that the CREN CA could issue "guest certs" to enable campuses without a CA to participate in Phase 2.

Finally Jim asked for volunteers to help fill out the PKI Lite S/MIME email clients table. The resulting updated action item is: [AI] Updates to the planned S/MIME clients table http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-smime-clients-3.html

1. Jim will ask Ed if he will work on Netscape Messenger column
2. Neal will work on Mozilla, putting all the information in one column and noting any Unix/Windows differences
3. Michelle will look at Outlook 2000
4. Eric will look at Eudora/Tumbleweed, and suggest rows to add to the table
5. Jim will try to recruit further contributors to the table

Action Items

1. [AI] 13-February - Judith will check with Michelle on the status of the Tumbleweed plugin.
2. [AI] 13-February - Jim will find out what cert store the SSH.com client uses.
3. [AI] 13-February - Jim and Deb will draft a letter to SSH.com, to be signed by as many representatives of higher education as possible, asking that the support for cert-based authentication now present in their commercial version be added to both the server and the client in their free version. [AI] 13-February - Eric will send out a URL for documentation of iPlanet's and Microsoft's recommendations about certificate extensions and criticality.
4. [AI] 13-February - All will review the updated PKI Lite S/MIME requirements document and send comments to the list.
5. [AI] 13-February - Updates to the planned S/MIME clients table http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-smime-clients-3.html
6. Jim will ask Ed if he will work on Netscape Messenger column b) Neal will work on Mozilla, putting all the information in one column and noting any Unix/Windows differences
7. Michelle will look at Outlook 2000
8. Eric will look at Eudora/Tumbleweed, and suggest rows to add to the table
9. Jim will try to recruit further contributors to the table
10. [AI] 30-January - Jim to send out merged policy/practices document for review [AI] 16-January - Jim and Judith will add links to free cert-issuing web sites from the HEPKI and CREN sites respectively.
11. [AI] 16-January - Jim will find out how much the Tumbleweed plugin costs.
12. [AI] 16-January - Bob Morgan and Eric will try to find out if anyone is planning to add S/MIME to pine.
13. [AI] 16-January - On the next call that David Wasley attends, TAG will reopen the question of which PKI Lite cert fields should be marked critical.
14. [AI] 2-January - Ken will follow up with the people responsible for testing the fix proposed for the L-Soft signed messages problem.
15. [AI] 2-January - Eric will look into possible SSH.com support for cert-based authentication.
16. [AI] 2-January - Eric will help Annie and Carrie at Wisconsin go through the HEPKI demo and get certs installed in their browsers.
17. [AI] 19-December - Ken will ask HEPKI-PAG for input on where to seek legal review of the draft PKI Lite combined CP/CPS.
18. [AI] 19-December - Jim will check status of action items from November 7 and earlier via email.
19. [AI] 19-December - All will review David's "S/MIME needs..." email (Dec. 5, re-sent Dec. 19) for discussion on the next call.
20. [AI] 19-December - Judith will draft a scenario for using S/MIME for homework submission.
21. [AI] 19-December - Ken will draft a CFP for an experimental approach to deploying PKI Lite S/MIME.
22. [AI] 5-December - Eric will continue investigating listproc's performance with Eudora/Tumbleweed signed messages.
23. [AI] 5-December - Jim will get part of the PKI Lite site set up for test results.
24. [AI] 5-December - All will send Jim their institutional root certs for the root cert downloader and client authentication demo on pkidev.internet2.edu.
25. [AI] 5-December - Jeff will have lawyers at MIT review the legal language in the draft CPS template.
26. [AI] 5-December - Jeff will copyedit the draft CPS template and send the revised version to the list.
27. [AI] 5-December - Ed will read the SACRED requirements document; if this leads him to think that SACRED should be kept going, he will investigate further.
28. [AI] 5-December - Ed will find out more about Dartmouth's timesheet-signing application, for discussion on the next call.
29. [AI] 5-December - Keith will point Wisconsin's deputy CIO to the posted draft CPS template.
30. [AI] 5-December - Keith will try to interest one of his colleagues at Wisconsin in working with TAG on serial signatures.
31. [AI] 7-November - Ed will send the list information on products that use the IBM 4758.
32. [AI] 7-November - Eric and Jim will discuss next steps for getting the demo cert issuer onto the Internet2 demo machine.
33. [AI] 24-October - All will review Ed's October 19 mail on CP information in the TrustID certs being used for HEBCA.
34. [AI] 26-September - Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.
35. [AI] 26-September - Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN- and institution-signed user certs to use on the demo site to practice following chains.
36. [AI] 26-September - Jeff will look into getting user certs from MIT for the demo site.
37. [AI] 26-September - Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.
38. [AI] 29-August - Renee will look into what policies Internet2 is considering for software distributions.
39. [AI] 29-August - All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.
40. [AI] 1-August - Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
41. [AI] 6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.