HEPKI-TAG call
April 19, 2006
*Action Items* (new)
[AI] David
will follow up on SAFE's open-source signing work. (from previous
calls)
[AI] All will send URLs for CA software (open-source
or not) to TAG. }
[AI] Jim and David will draft requirements
for the packaged-CA project, and start looking at available
CA software in the light of those requirements.
[AI] Eric will
let TAG know when Ron DiNapoli's work on Aladdin eTokens on
Macintosh is available for the group to look at.
[AI] All will
look at http://www.gridpma.org for materials for the CA Audit
project to point to or extract from.
[AI] Bob will send out
pointers on UW's experience with the Federal Credential Assessment
Framework (CAF).
[AI] All who can test the Eudora S/MIME plugin,
or find others to do so, will contact Jim.
[AI] Jim will expand
the signing-tools matrix with columns on APIs and scripting
tools; multiple signatures (parallel vs. stacked); and whether
or not the tool lets you add a trust anchor.
[AI] All who have
time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.
[AI] Jim will continue looking at PKI Lite
cert profiles for Rice's code-signing application.
[AI] Eric
will call Mozilla's attention to the fact that they don't support
the standards needed to recognize trust anchors on tokens,
and nudge them to do something about it.
[AI] Eric will continue
seeking feedback on his Top 10 lists, especially from HCISec.
[AI] Jim will get an OID for PKI Lite from MACE.
[AI] Mark
will ask Jed Dobson for more information on OSG.
[AI] David
will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.
[AI] Neal will
continue looking at OpenOffice, and Jim will look at eLock.
[AI] Jim will send the list more information on the Acrobat
transcript-signing work at U. of Chicago.
[AI] Jim will draft
a discussion of the pros and cons of hierarchical and flat
campus PKIs for discussion on a future call. [AI] All will
send Jim further suggestions for TAG projects.
[AI] Jim will
send mail to people who have expressed interest in various
possible areas of work for TAG, and work toward finding a focus
for the group.
*Attendees*
Jim Jokl (chair) - Virginia
Jeff
Schiller - MIT
Scott Cantor - OSU
David Wasley - independent
Scott Rea - Dartmouth
Nathan Faut - KPMG
Eric Norman - Wisconsin
Neal McBurnett - Internet2
Bob Morgan - Washington
Renee Frost
- Michigan/Internet2
Ben Chinowsky (scribe) - Internet2
*Discussion*
The group reviewed the April 4-6 PKI R&D Workshop. Preliminary
proceedings are at http://middleware.internet2.edu/pki06/proceedings/ .
- Angela Sasse's keynote was well-received. She addressed
many of the same issues as Alma Whitten did at PKI03, but with
less optimism about the prospects of getting users to understand
PKI concepts, and therefore more focus on automation. In this
connection Eric noted Phillip Hallam-Baker's definition of
the difference between training and education: limiting users'
choices vs. teaching them what they need to know to make good
choices.
- Scott Rea noted that Certicom has patented methods
for getting to a set of elliptic curves quickly, but you can
still use elliptic-curve crypto without these. Jeff observed
that while this is true, it's hard to get anything more secure
than you could without using ECC, if you don't use Certicom's
methods.
- Eric noted that the three main browser vendors (Microsoft,
Apple, Mozilla) were all represented at the workshop.
- David
talked to someone from SAFE (http://www.safe-biopharma.org/);
they are working on an open-source signing package. TAG involvement
is a possibility. [AI] David will follow up on SAFE's open-source
signing work.
- Neal noted that PKI07 will focus on applications.
OpenSSL FIPS 140-2 validation is now final; see http://oss-institute.org/OpenSSL/Linux_World_release_040406.pdf . Scott Cantor pointed out that the lack of shared library support pretty much rules out using this for Shibboleth without some significant technical effort by deployers. Apache/mod_ssl builds use a shared openssl; to use the FIPS-certified static library you'd probably have to rebuild mod_ssl itself, being extremely careful to avoid duplicate symbols between Apache and mod_shib. Scott thinks it's unlikely that anyone is going to be willing to put up with the hassles involved.
Jim noted that the USHER PA is considering what the certificate validity period should be, given the uncertainty about the remaining useful lifetime of 2K keys. David pointed the group to NIST SP 800-78 for the details (see http://csrc.nist.gov/publications/nistpubs/); this document recommends not issuing new certs using SHA-1 after 2010. Neal noted that NIST is almost certainly going to organize a new hash-function competition.
Scott Rea noted that while there will be no PKI Deployment Summit at Dartmouth this year, some similar material will be included at Snowmass. See http://www.educause.edu/sa06/ .