Untitled Document

HEPKI-TAG Call

July 16, 2003
Attendees

* Jeff Schiller, MIT
* Jim Jokl, U. Virginia
* Mark Franklin, Dartmouth
* Bob Brentrup, Dartmouth
* Eric Norman, U. Wisconsin
* John Douglass, Georgia Tech
* Barry Ribbeck, UT-HSCH
* Shelly Henderson, USC
* David Wasley, UCOP
* Nathan Faut, Educause
* Renee Frost, Internet2
* Neal McBurnett, Internet2
* Jeanette Fielden, Internet2
* Steve Olshansky, Internet2

Discussion

There is concern that requiring FIPS certification would be a burden on schools since there is no open source solution that is FIPS certified. The issue stems from the fact that current federal policy requires FIPS certification for anything above rudimentary for the higher education bridge to cross certify with the federal bridge. If you have a FIPS crypto module as a piece of your CA it is not clear if that would meet the requirements of the federal policy. If it does there are several easy solutions. There is also an effort to get OpenSSL certified at level one but there is no information on where in the process that effort is.

The federal bridge CA policy document seems to indicate the crypto key module has to meet either FIPS 140 level 1,2, or 3. In section 6 it states for anything to be basic level assurance or higher, software has to be produced under some documented methodology. It doesn't mention/specify FIPS. So the requirements are not entirely clear.

Draft Certificate Profile Reviews:
The In-Common Root CA Certificate Profile http://middleware.internet2.edu/hepki-tag/tmp/in-common-root.html.
Things like the validity period will depend on the hardware chosen. The validity period is the period you can check the validity of the signature, for example up to 10 years. As a matter of practice and perhaps even policy, it's not used to sign anything after five years. You generate a new key and the old authority certs are good for another five years. There was general agreement that this key is not going to sign a high volume of certificates and a 2048 bit key should be adequate for 10 years. A footnote to reissue the certificate at half the validity period will be added.

The In-Common EE (server) Certificate Profile
http://middleware.internet2.edu/hepki-tag/tmp/in-common-ee.html
The validity period will be three-years. There will be an overall 10-year period of existence. It will be re-keyed after five years. This allows for a two-year transition period to avoid large numbers of people having to transition in a short time period.

How much effort we want to go through to prevent collisions in the namespace is a question to resolve as work progresses.

The USHER Root CA profile
http://middleware.internet2.edu/hepki-tag/tmp/hepkiCA-root-profile-4.html

Should the USHER CP be based on C4 (Citizen and Commerce Certificate Policy), medium or something else? If people are aware of critical path issues in this regard please let Neal know. It's unknown where the notion that the NSF asks for medium comes from.
[AI] Neal will resend the information on the differences between C4, PKI-lite, and medium.

Nathan's understanding is that C4 will not cross certify with the federal bridge. A six-month access with C4 will be granted to give time to certify to basic or medium. Neal indicated that he'd heard that as well but in the policy there is an OID for provisional and an OID for the C4 itself, which is not consistent. Neal will see if he can get clarification on this.
[AI] Nathan will forward contacts at C4 to Neal.

There was general agreement that USHER should ultimately try to run at the medium level. One possibility would be start at basic to buy time and then in a couple of years re-key and upgrade.
[AI] Neal will research associated costs.

Auditing: There is a need for information on what will be required for audits. The CPS might be proprietary and secret and only the audit department sees it so you're trying to get external bodies to trust that the audit department has done it's work. There is a national group of auditors that would be worthwhile to talk to and see if they are working on any of these kinds of issues
[AI] Barry will see what information he can find on auditing at his institution and contacts to the national group.

Next call is Wednesday July 30th, 2003.