May 19, 2004
* Jim Jokl, U. Virginia
* Scott Cantor, OSU
* Eric Norman, U. Wisconsin
* Shelley Henderson, USC
* Jeff Schiller, MIT
* David Wasley, UCOP
* Bob Morgan, U. Washington
* Nathan Faut, EDUCAUSE
* Nick Lewis, Internet2
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2
* Steve Olshansky, Internet2
InCommon is the legal name of the federation. References should be to InCommon and not InCommon federation. Since InCommon is an LLC with only Internet2 as a member those who join InCommon should be referred to as participants of InCommon not members.
The root certificate for
InCommon is in the trust
file on the website for
[AI] Jim will decode the root certificate for InCommon and put it in the HEPKI repository.
Changing 1.6 in the PKI-Lite policy
As discussed on the previous call, the policy now says the PKI-Lite framework is designed for operation by a central campus group and should not issue authority certs to departmental CA’s.
Jeff proposed the sentence should read: “If an institution issues a CA Certificate to a subordinate organization, as an academic or administrative department, that CA should operate under the same CPS as the institution or should use a different policy OID in their end-user certificates.”
Jim indicated that if there
are schools that want to
be able to enable department
CA’s and make them
part of the hierarchy the
first part of what Jeff
said is perfect. The department
is bound to run the CA.
As a compromise for the
second part, the only time
a central organization can
issue an authority cert
to a dept is if the dept
is willing to run the cert
at the same level as the
[AI] Jim: will draft another revision to 1.6 of the PKI-Lite policy and send it out
to the list for review.
Application/x-octet-stream for x.509 MIME type
Jim has changed the document to put DNS name in subject alt name and changed the download type to x-octet-stream. He has not had a chance to test it yet.
The S/MIME clients table has been updated to include Eric’s testing of Pine.
Eudora lacks S/MIME support
currently. Qualcomm just
finished a release of Eudora
and Jim believes it is a
good time to lobby them
for S/MIME support.
[AI] Jim will draft a letter to Qualcomm to include S/MIME in Eudora.
Top 10 things people need to know about PKI list
The concept is that: while you don’t have to understand concrete and bridge building to drive on the freeway you are expected to understand the street signs. So while you may not expect someone to understand the infrastructure behind PKI there are types of information regarding PKI use in applications that users need to know how to interpret and use.
Items suggested include:
* How to protect the private
* How to import/export certificates
* How to install a trusted root
* The hazards and benefits of encrypted e-mail
* What it means to digitally sign your e-mail.
* Revocation and what to do if you think your machine has been compromised.
* Users should understand that there is something called encryption that allows you to send a message to someone else in the world, that only that person can read.
* They should understand how to install a trusted root for e-mail and how to use it.
* They should understand what the padlock icon on a browser means and how to use it to verify whom they are communicating with. Make sure they are sending data over an encrypted connection.
[AI] Eric will compile suggestions for the top 10 things to know about PKI list and resend for review.
Peter Gutmann talked about
a better approach to PKI
called PKIX cert store at
the PKI workshop. It includes
some useful techniques for
about certificates in a
lighter weight fashion.
[AI] Neal will forward the URL to PKIX information certstore to the list.
1. [AI] Jim will decode
the root certificate for
InCommon and put it in the
2. [AI] Jim: will draft another revision to 1.6 of the PKI-Lite policy and send it out
3. to the list for review.
4. [AI] Nathan will send the presentation from the Aerospace bridge discussion to Jim who will put it on the HEPKI-TAG site.
5. [AI] Bob Morgan: Will write up for the list the success of accessing an LDAP directory with two different names in subject alt name. Different clients were able to accept the cert regardless of which name they had asked the service for.
6. [AI] Jim will draft a letter to Qualcomm to include S/MIME support in Eudora.
7. [AI] All: Please review the InCommon CA documents and provide comments to Neal.
8. [AI] Eric will compile suggestions for the top 10 things to know about PKI list and resend for review.
9. [AI] Neal will forward the URL to PKIX certstore information to the list.