Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Call

May 19, 2004
Attendees

* Jim Jokl, U. Virginia
* Scott Cantor, OSU
* Eric Norman, U. Wisconsin
* Shelley Henderson, USC
* Jeff Schiller, MIT
* David Wasley, UCOP
* Bob Morgan, U. Washington
* Nathan Faut, EDUCAUSE
* Nick Lewis, Internet2
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2
* Steve Olshansky, Internet2

Discussion

InCommon is the legal name of the federation. References should be to InCommon and not InCommon federation. Since InCommon is an LLC with only Internet2 as a member those who join InCommon should be referred to as participants of InCommon not members.

The root certificate for InCommon is in the trust file on the website for Shibboleth.
[AI] Jim will decode the root certificate for InCommon and put it in the HEPKI repository.
Changing 1.6 in the PKI-Lite policy

As discussed on the previous call, the policy now says the PKI-Lite framework is designed for operation by a central campus group and should not issue authority certs to departmental CA’s.

Jeff proposed the sentence should read: “If an institution issues a CA Certificate to a subordinate organization, as an academic or administrative department, that CA should operate under the same CPS as the institution or should use a different policy OID in their end-user certificates.”

Jim indicated that if there are schools that want to be able to enable department CA’s and make them part of the hierarchy the first part of what Jeff said is perfect. The department is bound to run the CA. As a compromise for the second part, the only time a central organization can issue an authority cert to a dept is if the dept is willing to run the cert at the same level as the central organization.
[AI] Jim: will draft another revision to 1.6 of the PKI-Lite policy and send it out
to the list for review.
Application/x-octet-stream for x.509 MIME type

Jim has changed the document to put DNS name in subject alt name and changed the download type to x-octet-stream. He has not had a chance to test it yet.

The S/MIME clients table has been updated to include Eric’s testing of Pine.

Eudora lacks S/MIME support currently. Qualcomm just finished a release of Eudora and Jim believes it is a good time to lobby them for S/MIME support.
[AI] Jim will draft a letter to Qualcomm to include S/MIME in Eudora.
Top 10 things people need to know about PKI list

The concept is that: while you don’t have to understand concrete and bridge building to drive on the freeway you are expected to understand the street signs. So while you may not expect someone to understand the infrastructure behind PKI there are types of information regarding PKI use in applications that users need to know how to interpret and use.

Items suggested include:

* How to protect the private key
* How to import/export certificates
* How to install a trusted root
* The hazards and benefits of encrypted e-mail
* What it means to digitally sign your e-mail.
* Revocation and what to do if you think your machine has been compromised.
* Users should understand that there is something called encryption that allows you to send a message to someone else in the world, that only that person can read.
* They should understand how to install a trusted root for e-mail and how to use it.
* They should understand what the padlock icon on a browser means and how to use it to verify whom they are communicating with. Make sure they are sending data over an encrypted connection.

[AI] Eric will compile suggestions for the top 10 things to know about PKI list and resend for review.

Peter Gutmann talked about a better approach to PKI called PKIX cert store at the PKI workshop. It includes some useful techniques for discovering information about certificates in a lighter weight fashion.
[AI] Neal will forward the URL to PKIX information certstore to the list.
Action Items

1. [AI] Jim will decode the root certificate for InCommon and put it in the HEPKI repository.
2. [AI] Jim: will draft another revision to 1.6 of the PKI-Lite policy and send it out
3. to the list for review.
4. [AI] Nathan will send the presentation from the Aerospace bridge discussion to Jim who will put it on the HEPKI-TAG site.
5. [AI] Bob Morgan: Will write up for the list the success of accessing an LDAP directory with two different names in subject alt name. Different clients were able to accept the cert regardless of which name they had asked the service for.
6. [AI] Jim will draft a letter to Qualcomm to include S/MIME support in Eudora.
7. [AI] All: Please review the InCommon CA documents and provide comments to Neal.
8. [AI] Eric will compile suggestions for the top 10 things to know about PKI list and resend for review.
9. [AI] Neal will forward the URL to PKIX certstore information to the list.