Untitled Document

Technical Activities Group Meeting Minutes
HEPKI–TAG Conference Call

January 16, 2002
Attendees

* Jim Jokl (chair) – Virginia
* Jeff Schiller – MIT/CREN
* Bob Brentrup – Dartmouth
* Punch Taylor – Dartmouth
* Michael Gettes – Georgetown
* Judith Boettcher – CREN
* Michelle Gildea – CREN
* Renee Frost – Michigan/Internet2
* Ellen Vaughan – Internet2
* Neal McBurnett – Internet2
* Eric Norman – Wisconsin
* Deb Crocker – Alabama
* Bob Morgan – Washington
* Bill Doster – Michigan
* Ben Chinowsky (scribe) – Internet2

Discussion

After approving the minutes of the January 2 meeting, TAG reviewed a few of its outstanding action items:

[2–January – Eric will look into possible SSH.com support for cert–based authentication.]

Still to do. Support for cert–based authentication exists only in the commercial version of the server; the group agreed to draft a letter to SSH.com, to be signed by as many representatives of higher education as possible, asking that support be added to the free version of both server and client. Jim noted that VanDyke now supports this in SecureCRT on the client side and SSH on the server side. Bob Morgan noted that there's not even a draft IETF standard for SSH authentication with X.509. [AI] Jim will find out what cert store the VanDyke and SSH.com clients use. [2–January – Eric will help Annie and Carrie at Wisconsin go through the HEPKI demo and get certs installed in their browsers.] Still to do. [19–December – Eric will ask Scott Fullerton to test opaque signatures on the TAG list.] Done. Testing has shown that Outlook and Outlook Express can't read opaque–signed messages, but Netscape and Eudora/Tumbleweed can. Eric summarized the testing so far by saying "the opaque signing thing isn't going to work very well."

Much of the call was devoted to review of Jim's draft description of the PKI Lite S/MIME project (http://middleware.internet2.edu/hepki–tag/pki–lite/pkilite–smime.html). Jim has incorporated the group's comments into an updated version of the document at http://middleware.internet2.edu/hepki–tag/pki–lite/pkilite–smime_2.html. Some action items also came out of this discussion: [AI] Jim and Judith will add links to free cert–issuing web sites from the HEPKI and CREN sites respectively. [AI] Jim will find out how much the Tumbleweed plugin costs. [AI] Bob Morgan and Eric will try to find out if anyone is planning to add S/MIME to pine. There was a short discussion of the "why not PGP?" issue; Bob Morgan pointed out that "there is precisely no technical distinction between PGP and S/MIME" –– the CA model associated with S/MIME is separable from it. Bob also observed that while PGP works fine for its current community, it's not going to grow much further; S/MIME has growth potential.

The group revisited its decision to recommend in the PKI Lite cert profile that no fields be marked critical; the RFCs say that basic constraints and key usage should be marked critical. Jim noted that TAG's intent was to avoid problems with software that doesn't deal well with critical fields; now that TAG has limited the software it will be dealing with, maybe it should follow the RFC recommendation. [AI] On the next call that David Wasley attends, TAG will reopen the question of which PKI Lite cert fields should be marked critical.

Finally, Bill Doster discussed a part of the KX.509 project that uses a PKCS11 plugin to enable Netscape to access the user's cert store in the same way Internet Explorer does. See http://www.citi.umich.edu/projects/kerb_pki/.
Action Items

1. [AI] 16–January – Jim will find out what cert store the VanDyke and SSH.com clients use.
2. [AI] 16–January – Jim and Judith will add links to free cert–issuing web sites from the HEPKI and CREN sites respectively.
3. [AI] 16–January – Jim will find out how much the Tumbleweed plugin costs.
4. [AI] 16–January – Bob Morgan and Eric will try to find out if anyone is planning to add S/MIME to pine.
5. [AI] 16–January – On the next call that David Wasley attends, TAG will reopen the question of which PKI Lite cert fields should be marked critical.
6. [AI] 2–January – Ken will follow up with the people responsible for testing the fix proposed for the L–Soft signed messages problem.
7. [AI] 2–January – Eric will look into possible SSH.com support for cert–based authentication.
8. [AI] 2–January – Eric will help Annie and Carrie at Wisconsin go through the HEPKI demo and get certs installed in their browsers.
9. [AI] 19–December – Ken will ask HEPKI–PAG for input on where to seek legal review of the draft PKI Lite combined CP/CPS.
10. [AI] 19–December – Jim will check status of action items from November 7 and earlier via email.
11. [AI] 19–December – All will review David's "S/MIME needs..." email (Dec. 5, re–sent Dec. 19) for discussion on the next call.
12. [AI] 19–December – Judith will draft a scenario for using S/MIME for homework submission.
13. [AI] 19–December – Ken will draft a CFP for an experimental approach to deploying PKI Lite S/MIME.
14. [AI] 5–December – Eric will continue investigating listproc's performance with Eudora/Tumbleweed signed messages.
15. [AI] 5–December – Jim will get part of the PKI Lite site set up for test results.
16. [AI] 5–December – All will send Jim their institutional root certs for the root cert downloader and client authentication demo on pkidev.internet2.edu.
17. [AI] 5–December – Jeff will have lawyers at MIT review the legal language in the draft CPS template.
18. [AI] 5–December – Jeff will copyedit the draft CPS template and send the revised version to the list.
19. [AI] 5–December – Ed will read the SACRED requirements document; if this leads him to think that SACRED should be kept going, he will investigate further.
20. [AI] 5–December – Ed will find out more about Dartmouth's timesheet–signing application, for discussion on the next call.
21. [AI] 5–December – Keith will point Wisconsin's deputy CIO to the posted draft CPS template.
22. [AI] 5–December – Keith will try to interest one of his colleagues at Wisconsin in working with TAG on serial signatures.
23. [AI] 7–November – Ed will send the list information on products that use the IBM 4758.
24. [AI] 7–November – Eric and Jim will discuss next steps for getting the demo cert issuer on
25. to the Internet2 demo machine.
26. [AI] 24–October – All will review Ed's October 19 mail on CP information in the TrustID certs being used for HEBCA.
27. [AI] 26–September – Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.
28. [AI] 26–September – Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN– and institution–signed user certs to use on the demo site to practice following chains.
29. [AI] 26–September – Jeff will look into getting user certs from MIT for the demo site.
30. [AI] 26–September – Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.
31. [AI] 29–August – Renee will look into what policies Internet2 is considering for software distributions.
32. [AI] 29–August – All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.
33. [AI] 1–August – Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
34. [AI] 6–June – All will send Jim links to information on their campus PKI work, for the TAG web site.