August 14, 2002
* Jim Jokl, Virginia
* Eric Norman, Wisconsin
* Steve Worona, Educause
* Michael Gettes, Georgetown
* Judith Boettcher, CREN
* Bill Doster, Michigan
* Michelle Gildea, CREN
* Jeff Schiller, MIT
* Bob Morgan, Washington
* David Wasley, UCOP
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2
Action Item Update:
Jim did get one additional
volunteer from his request
to the list the list for
volunteers to document hardware
tokens. There is nothing
conclusive yet for where
we will get the environment
for testing bridge support
in Windows XP.
Snowmass PKI meeting update
The focus this year seemed to be more on implementation and success stories and the realization that there is no one killer application but lots of smaller applications that are starting to make a difference in a cost effective matter.
The state of Illinois has contracted for a million certificates, which they are going to give away for free to anyone within the state or who does business with the state for which Illinois wants that kind of authentication done. This should generate a great deal of information quickly about what does and does not work.
Michael presented a proposal to create a board of Investigation and Instantiation Development for the Higher Education Bridge and Certificate Authority (HEBCA). A board formulated as an advisory committee to Educause will be created and will consist of a mix of CIO's, technical people, lawyers, Educause staff and a flywheel. The primary deliverable will be to deliver an operational plan for the Higher Education Bridge within a year.
There was also a vendor group discussion at Snowmass to talk about why higher education is having such a hard time with PKI. One conclusion of the discussion is that if an off the shelf solution does not work higher education does implicitly recognize that it has an intellectual responsibility to say exactly why it doesn't work. Another factor that came to light is that universities typically have to support a more diverse environment than corporations, and currently solutions do not support a wide enough array of environments.
Jim would like to generate a document for issues with Outlook and Outlook Express for S/MIME like the document generated for issues with browsers. Identified issues for the document include:
1. Outlook has the generic
issue it won't let you just
put in a signing certificate.
2. There is no check box or functionality in Outlook or Outlook Express that will let you store your folders in an unencrypted form if you want it.
3. The only way to get Outlook to look at URL's is through system-wide patches rather than anything in the user interface.
4. Older versions, if you had a document that was signed with an expired certificate you could no longer verify the signature. Not clear if this is an issue in current version.
5. Outlook Express can create but can't read it's own opaque signed message. This may be more of a bug than a functionality issue.
6. A seamless integration of address books with other people's certificates is needed. Certificate information would be right there with other address information. Shouldn't be anything more involved for sending secure e-mail then there is for unsecure mail. And it should be able to configure it so it's invisible and automatic if desired.
The discussion then turned to browser issues and identifying areas of improvement for Internet Explorer. One suggestion is to take the list of issues and test each browser on each item. Judith provided a list of issues she has identified for Mac.
1. Ability to download,
import, export, and manage
root certificates (Note:
IE does accommodate the
ability to download a root
cert into the browser, but
there is no way to choose
a name for it.)
2. Ability to download, import, export, and manage client certificates
3. Ability to name certificates in user-friendly and defined ways
4. Delete the ability /decision for users to have their password remembered ability to manage a set of 20 personal client certificates for oneself
5. Ability to manage many client's public keys for family, friends and colleagues
Another issue discussed regards the challenges of managing a kiosk environment. In public environments where you don't actually log in, the windows environment is up and running: you plug in your smart chip device, and click on a URL to go some controlled resource. Example: There are generic hospital accounts that are up and running, you want plug in a device and the certificate on device determines their access. The desire is to avoid having people do two steps, login in to NT environment and then having to unlock their USB dongle. It is also desirable terminate the service that depended on that certificate when the USB dongle is removed.
If anyone has additional issues for the document, please forward them to David.
There is a potential opportunity for someone to work on an S/MIME plug-in for Eudora. Some issues are:
1. the certificate store
should be the same one already
on the machine.
2. Such a plug-in should make use of the operating system services if they exist.
3. Support of both dual key, single key and the ability to sign and encrypt separately.
4. Co-ordinate with local phone book if the book is extensible and compatible.
5. The ability to designate if local sent mail can be stored as either encrypted or unencrypted.
6. Ability to store other users certificates in the main address book.
Specific issues for the work description are welcome.
The next call is August 28, 2002.