Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-Tag Conference Call

December 18, 2002
Attendees

* Jim Jokl, Virginia
* Jeff Schiller, MIT
* Scott Cantor, OSU
* Judith Boettcher, CREN
* Erin Norman, Wisconsin
* Bob Morgan, Washington
* Renee Frost, Internet2
* Neal McBurnett, Internet2
* Steve Olshansky, Internet2
* Jeanette Fielden, Internet2

Discussion

The Outlook/Outlook Express document will be considered finished if Jim receives no changes by December 24th.

Jim talked to the Grid people at UVA about the change they had requested in the PKI-lite profile. It was not a generic change to make Globus work but a change for local work. So we will not be pursuing the change.

CREN CA: Neal. A couple of web sites certs were issued to Wellesley but there were enough users having problems downloading so they did not proceed. There are a total of 18 institutions/departments that got certs and a total of 40 that expressed interest or started the process. Some of the 18 issued are not actively in use. The question then is what the level interest and demand there is and is the CA the best way to satisfy it or is there a better way, perhaps through Club Shib? The extent of interest is not clear in light of the reassessments currently occurring.

Jeff pointed out the need to make the service available to the broadest possible audience. Having to join CREN might have been a barrier, and having to join Club Shib could be a similar barrier. There's a need for a CA function someplace and someone who will host the continuing service. MIT can continue what it's been doing for the moment. If the volume increased dramatically some provisions would need to be made. The biggest issue with getting the technology deployed has been education and motivation. In the authentication space right now there is user name and password and then there is a huge gulf in cost and understanding for anything else. Certificates as a better venue are a difficult sell. They are a security improvement but it's hard to see because it's a "bad things that don't happen" improvement. The benefit tends to be "invisible" while the costs are highly visible.
If Internet2 were to offer a service to be labeled in common the question is: Would it extend its services to include the certs thing that CREN was doing with certificates and offer the ability to get a certificate without having to install all of Shibboleth?

The CREN CA didn't require institutions to say much about how they issue certificates to their users. It just says that the institutional cert was given to the correct person at the institution. How institutions behave is up to the institutions. If we try to say to institutions that the only way you can have an institutional certificate unless you are willing to publish a definition of user community many institutions couldn't comply because there are too many different definitions. Part of what we would be doing is the INA process to identify the institution, which is fine, burdens beyond that are the difficulty.

Judith: Institutions applying over the last couple of months were requesting assistance with review of the policy that they developed based on the PKI template and the one area that the template is somewhat silent is the specific strategy on how campuses should protect their private key. We might want to provide more detail in that area since it's important.

Jim: Not as clear anymore what the correct answer to that is.

Eric: Should CREN really address that?

Jeff: The only thing the CA should say is this institutional certificate was issued to an appropriate representative of the institution.

Eric: Agree.

Jeff: User questions, what kind of user, not properly answered by the certificate but by an authorization system that goes with it. How an institution protects it's key's is it's business. They can choose to share it but it's not a public document.

Jim: More an issue that you can couple the INA process and signing a campus cert.

Club Shibboleth could at our discretion could choose to utilize that trust infrastructure to accept that trust infrastructure for the purpose of doing Shibboleth exchanges.

The discussion then turned to the Unknown CA box in browsers. Management at schools has been resisting doing CA's because of this box popping up during root cert downloads. Education is needed, such as a management level document to convince school administrations to adopt this. Jeff is also working on a new way to do a root installation for IE to make more use of the Active X control.

Or each institution can become their own CA and we cross certify. Maybe the Educause higher education bridge instead of being a bridge of CA's become a bridge where each CA is an institution. The answer may be going with cross certification until it becomes too cumbersome and that might create the motivation for creating an organization to sign those certificates to avoid cross certifying with a large number of organizations.

Another idea discussed was that there could be at least one higher education CA. A sponsoring organization could be selected and the name decided. Then everything should transition to that new name which would exist in perpetuity and doesn't change. Then we could to Microsoft and ask that root be added and there is at least one certificate that can be used. Mozilla and Netscape would likely agree to do so as well. The alternative without a higher education CA would be to use an existing service such as VeriSign. Jeff expressed his willingness to play a role in creating a description for such an organization.

It was agreed that there is a strong need to understand the issues and identify any barriers around why the adoption of the CREN cert was so slow.

Jim asked for additional topics for the Eudora/S/MIME plug-in document. Support for separate signing and encryption keys with separate signing and encryption buttons is important. Add a note on bridge path processing to number 4. Please review the document Jim mailed out and e-mail comments/suggestions to him.

XP bridge testing: Eric is looking at how to proceed and is considering OpenSSL. There was a question about the need to FIPS 140 certified. After discussion the group agreed that they did not have detailed information about why the certification was needed and what it would accomplish. Eric will move forward with using OpenSSL.

The next call will be January 15, 2003.