Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

March 13, 2002
Attendees

* Jim Jokl (chair) - Virginia
* Judith Boettcher - CREN
* John Douglass - Georgia Tech
* Bill Doster - Michigan
* Renee Frost - Michigan/Internet2
* Neal McBurnett - Internet2
* David Wasley - UCOP
* Steve Worona - EDUCAUSE
* Bob Morgan - Washington
* Eric Norman - Wisconsin
* Chris Misra - Massachusetts
* Ben Chinowsky (scribe) - Internet2

Discussion

The minutes of the previous meeting were corrected and approved.
The group reviewed action items:

* [27-February - Jim will work with MACE to find more reviewers for
* the PKI Lite CP/CPS.] In process. [AI] Judith will use Jim's short introduction to the PKI Lite CP/CPS to seek review of the document on the CREN CA list.
* [27-February - Bill and Ken will pursue getting Michigan's KCA documentation into NMI Release 1.0.] In process.
* [27-February - All who can help test the KX.509 client on Solaris will contact Bill or Ken.]
* Bill noted that he hasn't gotten any volunteers yet.
* [27-February - Jim will a) incorporate some of David's suggested changes to the PKI Lite cert profiles; b) in the end-entity profile, add a little more explanation of why 512-bit keys are sometimes permissible; and c) in 1.a.3 and 1.b.3 of the Experiment Requirements document, clarify what's meant by "based on".] - Done.
* [13-February - Judith will check with Michelle on the status of the Tumbleweed plugin.]
* Michelle is looking for more information on Tumbleweed.
* [13-February - Jim will find out what cert store the SSH.com client uses.] - Still to do.
* [13-February - Jim and Deb will draft a letter to SSH.com, to be signed by as many representatives of higher education as possible, asking that the support for cert-based authentication now present in their commercial version be added to both the server and the client in their free version.] - Still to do.
* [13-February - All will review the updated PKI Lite S/MIME requirements document and send comments to the list.] - Still to do.
* [13-February - Updates to the planned S/MIME clients table (http://middleware.internet2.edu/hepki-tag/pki-lite/ hepki-tag-pkilite-smime-clients-3.html)

1. Jim will ask Ed if he will work on Netscape Messenger column
2. Neal will work on Mozilla, putting all the information in one column and noting any Unix/Windows differences
3. Michelle will look at Outlook 2000
4. Eric will look at Eudora/Tumbleweed
5. Jim will try to recruit further contributors to the table] - In process.

Jim noted that the list of action items has been greatly pruned since the last call, and asked everyone to compare the new list with the old to see if any of the items that were pruned should not have been.

David noted that the draft new PKIX cert profile
(http://www.ietf.org/internet-drafts/draft-ietf-pkix-new-part1-12.txt) offers an algorithm for certification path validation. Currently, a client submitting a cert to be used by a relying party must supply all the certs along the path in order for the path to be verified. In addition to being cumbersome, this doesn't work at all when there are cross-certifications or bridges, in which case complex heuristics are required. The proposed new method uses the AuthorityInformationAccess field, which is already present in X.509v4. As this is a multivalued field (each entry consists of a value plus an OID that describes it), its previously-defined uses are not a problem, and in any case the field has seen little use so far. Section 6 of the draft describes the proposed cert path validation process in great detail. David suggested that TAG might be in a good position to lead the way in implementation of this method.

John Douglass introduced Papyrus, an open-source CA project he's leading. Papyrus was designed with simplicity and ease of use in mind, and more particularly as an alternative to the complexity of OpenCA; it's based on OpenSSL and written in PHP. So far the Papyrus group has tested with self-signed certs and Microsoft and Netscape browsers; they have learned that, for these browsers at least, "reality is a lot different from theory."
[AI] John will send out URLs for more information on Papyrus.

CREN has set up a Papyrus CA for testing at http://ca.cren.net; [AI] all will test the CREN Papyrus CA. [AI] David will test the CREN Papyrus CA using a Mac. Feedback should go to john.douglass@oit.gatech.edu. John is particularly interested in getting help from people who have a good understanding of Javascript and VBscript. John noted that, due to the legal issues around secure email, he thinks that smaller colleges are mainly going to be concerned with using certs for web authentication rather than S/MIME.

Steve noted that he's still trying to get an answer to his request for a FERPA clarification from the Department of Education. The FERPA office appears to be in turmoil over the recent Supreme Court ruling on peer grading [http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=US&vol=000&invol=00-1073 ]. Another FERPA-related Supreme Court case is in the works [http://www.nsba.org/cosa/lawlibrary/whatsnew/gonzaga.htm].

Motivated by the relative ease of deployment of PGP, the PKI Labs group has been discussing S/MIME client support for the use of self-signed certs, and would like to find out more about making use of these capabilities. Neal asked TAG for its thoughts on including this in the S/MIME pilot. Bob defined the issue as whether or not a client allows the user to "establish trust in just one key, without establishing trust in the issuer" -- for example, trusting Neal's Black Helicopter cert, because Neal has read Bob his thumbprint over the phone, without thereby trusting all Black Helicopter certs. [AI] Jim will add a row for self-signed cert capabilities to the S/MIME clients table. No consensus was reached on including self-signed certs in the S/MIME pilot.

Finally Jim reviewed the last round of changes to the PKI Lite and S/MIME pilot documents; he noted that he's leaving old versions on the site for comparison. Bill Doster noted that the 13-month cert lifetime limitation could present a problem for "heavier-duty" CAs. [AI] In the S/MIME requirements document, Jim will a) add a note explaining when it's OK to violate the 13-month maximum cert lifetime specified in the PKI Lite cert profile, and b) in the "Supported E-Mail Clients" section, separate Mozilla and Netscape, remove their version numbers, and add "(Windows, Unix, and Macintosh)" to each. In the clients table, it was agreed to keep the current one-column-per-client format; if per-platform differences are discovered, per-platform columns will be added later.
Action Items

1. [AI] 13-March - Judith will use Jim's short introduction to the PKI Lite CP/CPS to seek review of the document on the CREN CA list.
2. [AI] 13-March - John will send out URLs for more information on Papyrus.
3. [AI] 13-March - All will test the CREN Papyrus CA.
4. [AI] 13-March - David will test the CREN Papyrus CA using a Mac.
5. [AI] 13-March - Jim will add a row for self-signed cert capabilities to the S/MIME clients table.
6. [AI] 13-March - In the S/MIME requirements document, Jim will a) add a note explaining when it's OK to violate the 13-month maximum cert lifetime specified in the PKI Lite cert profile, and b) in the "Supported E-Mail Clients" section, separate Mozilla and Netscape, remove their version numbers, and add "(Windows, Unix, and Macintosh)" to each.
7. [AI] 27-February - Jim will work with MACE to find more reviewers for the PKI Lite CP/CPS.
8. [AI] 27-February - Bill and Ken will pursue getting Michigan's KCA documentation into NMI Release 1.0.
9. [AI] 27-February - All who can help test the KX.509 client on Solaris will contact Bill or Ken.
10. [AI] 13-February - Judith will check with Michelle on the status of the Tumbleweed plugin.
11. [AI] 13-February - Jim will find out what cert store the SSH.com client uses.
12. [AI] 13-February - Jim and Deb will draft a letter to SSH.com, to be signed by as many representatives of higher education as possible, asking that the support for cert-based authentication now present in their commercial version be added to both the server and the client in their free version.
13. [AI] 13-February - All will review the updated PKI Lite S/MIME requirements document and send comments to the list.
14. [AI] 13-February - Updates to the planned S/MIME clients table (http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-smime-clients-3.html ) a) Jim will ask Ed if he will work on Netscape Messenger column b) Neal will work on Mozilla, putting all the information in one column and noting any Unix/Windows differences c) Michelle will look at Outlook 2000 d) Eric will look at Eudora/Tumbleweed e) Jim will try to recruit further contributors to the table
15. [AI] 16-January - Bob Morgan and Eric will try to find out if anyone is planning to add S/MIME to pine.
16. [AI] 2-January - Ken will follow up with the people responsible for testing the fix proposed for the L-Soft signed messages problem.
17. [AI] 19-December - Judith will draft a scenario for using S/MIME for homework submission.
18. [AI] 5-December - Jeff will have lawyers at MIT review the legal language in the draft CPS template.
19. [AI] 5-December - Ed will find out more about Dartmouth's timesheet-signing application, for discussion on the next call.
20. [AI] 5-December - Keith will point Wisconsin's deputy CIO to the posted draft CPS template.
21. [AI] 10-September - Eric will a) investigate and document a problem that Ed has encountered with using PKIUser objects to get certs from LDAP directories (what the user sees in the retrieved cert is only a fingerprint, not cert details), and b) send the list information on his experience with cert retrieval using Internet Explorer.