September 13, 2000
Attendees

* Jim Jokl (chair) - Virginia
* Neal McBurnett - Avaya
* Bob Morgan - Washington
* Ariel Glenn - Columbia
* Deb Crocker - Alabama
* Jeff Schiller - MIT/CREN
* Judith Boettcher - CREN
* Patty Gaul - CREN
* Michael Gettes - Georgetown
* Ken Klingenstein - Colorado/Internet2
* Renee Frost - Michigan/Internet2
* Keith Hazelton - Wisconsin
* Eric Norman - Wisconsin
* David Wasley - UCOP
* Ben Chinowsky (scribe) - Internet2
* Others joined and left the call at various times.

Discussion

The meeting opened with announcements of upcoming events. A certificate profiles "triage" conference call will be held Friday, September 15; the aim is to understand differences in how certs fields are used, thus laying the foundations for consensus. The CREN pilot schools will meet from noon to 6:00 on Sunday, October 29 at the Internet2 Member Meeting. [AI] Michael will see if he can rearrange his schedule so as to be able to attend the CREN pilot schools meeting. Monday, October 30 will be "PKI day" at the Internet2 Member Meeting; sessions will include PKI 101 and reports from PAG and TAG. TAG members should expect to be recruited.

The group then discussed coordinating the work of TAG and PAG. PAG is focusing on understanding the differences among existing CPs and on deciding how to divide information between CPs and CPSes. PAG has reached a consensus that RFC 2527 offers a viable structure; RFC 2527 is already the basis for the Federal BCA and EuroPKI CPs. PAG has assembled a matrix of RFC 2527 topics and the corresponding language from the various CPs (available at http://www.ucop.edu/irc/projects/UCPKI/CPFv004_doc.pdf ; [AI] Ben will get the CPs matrix linked from the HEPKI site.) The purpose of this document is to aid in drafting a CP for higher education that will be consistent with the Federal BCA and with other communities such as EuroPKI and the Grid. The details of CPs have technical implications for such things as the use of directories to store keys and environmental and personnel controls for the protection of root certs. David estimated that about 10% of PAG's issues are not at all relevant to TAG, 60% are only marginally relevant, and 30% are very technical and thus highly relevant. TAG members should expect a presentation of this last 30% in a future call, along with recruitment of volunteers to investigate these issues in detail.

As a followup to the discussions at Snowmass, a Federal PKI meeting will be held starting on October 4 and possibly running through October 6. David will attend; his primary goal will be to get information needed to decide whether the creation of HEBCA is a good idea. Secondarily he will pursue issues around mapping to the Federal BCA.

There was a short review of the minutes from the previous meeting. Ben will incorporate the improvements Neal submitted via email; there were no other changes.

There was a long discussion of the workability of the approach set out in Michael's Higher Education Distributed Root Certificate Deployment (heDRCD) document. Jeff noted that the central idea of heDRCD -- leveraging the known-good certs already in the browser -- is a good one, but that Netscape and Microsoft will be very concerned about the possible liability issues this raises. How do you know that the person who signs a cert is really qualified to make that assertion? Which certs are trusted depends on the physical location of the relying party; a browser at wherever.com will trust certs issued from wherever.com, once the user responds affirmatively to an intial "do you want to trust" dialog. (There is also the option of having the browser "phone home".) One problem with this is that users may get very used to just saying yes, but it was agreed that the central issue is whether it is possible -- assuming that users can learn to answer the dialogs correctly -- to provide a very high degree of security against DNS spoofing. Such security is absolutely necessary, and may even be sufficient, for heDRCD to work. [AI] Jeff will reread heDRCD in the light of today's discussion.

Finally the group discussed Schlumberger's expressed interest in working with HEPKI; PKI pilot projects at Wisconsin and Georgetown were mentioned as possible areas for their involvement. [AI] Next week Michael, Jim and Ken will further discuss how to involve Schlumberger.
Action Items

* [AI] Michael will see if he can rearrange his schedule so as to be able to attend the CREN pilot schools meeting.
* [AI] Ben will get the CPs matrix linked from the HEPKI site.
* [AI] Jeff will reread heDRCD in the light of today's discussion.
* [AI] Next week Michael, Jim and Ken will further discuss how to involve Schlumberger.