Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

August 2, 2000
Attendees

* Jim Jokl (chair) - Virginia
* Maurice Mitchell
* Judith Boettcher - CREN
* Neal McBurnett - Avaya
* Deb Crocker - Alabama
* Eric Norman - Wisconsin
* Patty Gaul - CREN
* Ken Klingenstein - Colorado/Internet2
* Michael Gettes - Georgetown
* Ariel Glenn - Columbia
* David Wasley - UCOP
* Renee Frost - Internet2
* Ben Chinowsky (scribe) - Internet2
* Others joined and left the call at various times.

Discussion

The meeting opened with a review of the minutes from the July 19 meeting. There were substantial changes to the discussion of server-side certs; [AI] Ben will incorporate the changes to the minutes and send to Judith and Jim for approval.

Next was a review of the action items from the previous meeting.

1. (Judith will send TAG the parts of the CREN CA agreement that discuss revocation.) TAG discussed the cert-revocation-list portions of the CREN Certification Practices Statement (=certificate policy). Judith noted that the CRLs will be posted every 30 days or every month -- how can CREN ensure that the CRLs are checked? The current policy says that "the recipient must..." How can CREN enforce this? Should it? Judith suggested that this "must" be changed to a "should", and there was general agreement. The group agreed that this is an issue for PAG to resolve; TAG recommends to PAG that checking the CRL become a "should" rather than a "must", and that "relying party" should be used instead of "recipient".
2. (David will help Judith document the two approaches to naming, so they can be presented to the HEPKI constituent institutions.) David and Judith have not been able to work on this. [AI] David will work on documenting CRL naming for the next call. It was also agreed that TAG should form a subcommittee to document this and related issues; Eric, David, and Judith volunteered. Issues to be discussed include OCSP, revoking certs vs. revoking authorization in directories, and validity periods. David summed up the main revocation issue as being finding out how to minimize the need for CRLs. Michael emphasized that dc= naming in certs is not just for finding CRLs; among other things it can also be used to find directories. [AI] Jim will email Ken to choose a time to work on an outline for the CRL-naming document at Snowmass, and notify the list of the time.
3. (David will take charge of planning the Snowmass cert-profiles meeting.) The meeting is set for 1-5pm Friday afternoon at the Snowmass hotel.

Next was a discussion of the possibility of producing a document giving best practices for protecting private keys. Judith observed that there is a clear mandate for this, and that people at the CREN pilot schools are interested in participating; she asked the group who should lead this effort. [AI] Judith and Jim will confer to find a chair for the private-keys best-practices group, and will hold the voluteers from the CREN pilot schools to their commitments.

The group discussed Mine Sakurai's work on web forms for certificates. Michael has provided feedback to Mine. Jim related that Mine wants to know if a backend to these forms would be useful; there was agreement that it would be useful and should be bidirectional. Peter Gutman has created similar tools; [AI] Eric will send the list a URL for Gutman's work. Ken noted that it looks like HEPKI participants only have about 10% of the information needed to fill out the Federal BCA form (see csrc.nist.gov/pki/). The group also discussed Mine's mail on the basic-constraints and critical flags, and agreed to defer to Jeff on these issues.

There was a short discussion of the HEPKI web presence. There was general agreement that it would be good to get information out to more schools. Ideas included a checklist for schools just getting started, CRL issues, lists of tools, and pointers to other sites (e.g. Gutman, fPKI, CREN, VeriSign, iPlanet). [AI] Jim will make a list of proposed additions to the HEPKI web site, and send it to the list for discussion before the next call; others will send suggestions for Jim to compile.

There was a long discussion of possible HEPKI open-source work. There was general agreement that OpenSSL is more a certificate-manipulation library than an application, and that it would be good for HEPKI to get involved in OpenCA's work on providing wrapper functions for OpenSSL. There have been reports that open source cryptography projects outside the US are refusing to accept code developed in the US because they fear that even the recently relaxed US export restrictions may still somehow interfere with their long-term ability to use the code. This puts US institutions at a disadvantage. It was agreed that TAG should seek a legal opinion on this issue in order to address these concerns. [AI] Ariel will send PAG and TAG a brief description of legal issues around OpenSSL, including excerpts from the relevant documents. Ken noted that the Europeans seem to be turning toward OpenCA; [AI] Ken will ask his Dutch contacts about European interest in OpenCA. Michael noted that OpenCA appears to be getting work done even though there is little discussion on the OpenCA list.

Ken noted that Sun is interested in sharing some open-source Java libraries with TAG; these might form a basis for an open-source Certificate Management Protocols implementation (see RFC 2510/2511). [AI] Ken will send the TAG list the Java-libraries mail from Sun.

The next HEPKI-TAG call will be Wednesday, August 16, at 3:30 p.m. EDT = 12:30 p.m. PDT = 7:30 p.m. GMT.

Action Items

* Ben will incorporate the changes to the minutes and send to Judith and Jim for approval.
* David will work on documenting CRL naming for the next call.
* Jim will email Ken to choose a time to work on an outline for the CRL-naming document at Snowmass, and notify the list of the time.
* Judith and Jim will confer to find a chair for the private-keys best-practices group, and will hold the voluteers from the CREN pilot schools to their commitments.
* Eric will send the list a URL for Gutman's work.
* Jim will make a list of proposed additions to the HEPKI web site, and send it to the list for discussion before the next call; others will send suggestions for Jim to compile.
* Ariel will send PAG and TAG a brief description of legal issues around OpenSSL, including excerpts from the relevant documents.
* Ken will ask his Dutch contacts about European interest in OpenCA.
* Ken will send the TAG list the Java-libraries mail from Sun.