Untitled Document

Technical Activities Group Meeting Minutes
HEPKI–TAG Conference Call

January 2, 2002
Attendees

* Jim Jokl (chair) – Virginia
* Judith Boettcher – CREN
* Neal McBurnett – Internet2
* Eric Norman – Wisconsin
* Ken Klingenstein – Colorado/Internet2
* Steve Worona – EDUCAUSE
* David Wasley – UCOP
* Michelle Gildea – CREN
* Deb Crocker – Alabama
* Ben Chinowsky (scribe) – Internet2

Discussion

After approving the minutes of the last meeting, the group reviewed some of its outstanding action items:

* [19–December – Eric will ask Scott Fullerton to test opaque signatures on the TAG list.] Still to do. Jim noted that "opaque" means sending the entire message in base64.
* [19–December – Renee will find out if TAG can count on MACE–Dir–Groups finishing its calls by 3pm Eastern, so as not to conflict with TAG's proposed new start time.] Done; TAG calls will now start at 3pm Eastern.
* [19–December – Ken will ask HEPKI–PAG for input on where to seek legal review of the draft PKI Lite combined CP/CPS.] Still to do. Ken noted that he and Steve had agreed to take the PKI Heavy CP to NACUA.
* [19–December – Jim will check status of action items from November 7 and earlier via email.] Still to do.
* [19–December – All will review David's "S/MIME needs..." email (Dec. 5, re–sent Dec. 19) for discussion on the next call.] Still to do.
* [19–December – Eric will draft a scenario for using S/MIME to make it possible for all replies to a message sent to multiple lists to go to all those lists, even when the replyer is not on all of them.] Done in Eric's reply to David's "S/MIME needs..." email.
* [19–December – Judith will draft a scenario for using S/MIME for homework submission.] Still to do.
* [19–December – Ken will draft a CFP for an experimental approach to deploying PKI Lite S/MIME.] In process.
* [5–December – Eric will continue investigating listproc's performance with signed messages.] Still to do; Eric noted that this item should be narrowed to [AI] Eric will continue investigating listproc's performance with Eudora/Tumbleweed signed messages.
* [5–December – Jim will get part of the PKI Lite site set up for test results.] Still to do.
* [5–December – Jim will organize testing to verify that the fix proposed for the L–Soft signed messages problem actually works.] Done. [AI] Ken will follow up with the people responsible for testing the fix proposed for the L–Soft signed messages problem.

Much of the call was devoted to the proposed PKI Lite S/MIME experiment. Ken suggested that the group take an "80% solution" approach: rather than trying to address 100% of each set of issues –– the approach responsible for bogging down PKI –– TAG will try for just 80%. The idea is that, while not good enough for a production deployment, this will be good enough to make for an interesting experiment, which will in turn lead to production deployments. The trick is to ensure that the particular 80% solutions deployed are capable of growing to 100%. Ken listed the sets of issues to which this approach is to be applied as: – What clients can you use? Ensuring that the answer is "all" is an explicit non–goal of the experiment. – What is the strength of assurance? – What cert policy will be used? – What applications are to be enabled –– signing, encryption, or both? There was general agreement that, from a middleware business–case standpoint, signing is more important than encryption. – For how long after a signed message is received can you still validate the signature? – How to handle archiving encrypted messages? As with validating archived signed messages, limited cert lifetimes are a problem. Ken suggested instructing users to re–save messages in unencrypted form if they are going to need to read them later. Neal reminded the group of David's suggestion to have users re–encrypt with a different key. Both these approaches make key escrow unnecessary.

Ken suggested that the project start with about ten campuses. The CREN CA, a dedicated experimental CA CREN is planning to set up, and public CAs like Black Helicopter were suggested for use by participants who haven't set up their own CAs yet. Judith noted that CREN's new experimental CA will be able to provide free certs with (per Jim's request) the key usage field set to allow both signing and encryption. HEBCA running in test mode was suggested as a bridge CA for the experiment. Ken suggested seeking resources for participating schools from goverment bodies that "still have passion for PKI".

Eric noted that the growing popularity of web–based mail could prove to be an obstacle to the adoption of S/MIME, and that a major discussion questioning the value of PKI in general is currently underway on the SPKI list. Jim suggested that retrofitting existing applications is the biggest stumbling block on the road to PKI; this makes starting with S/MIME attractive, as S/MIME is the only cert–using technology built into current software.

Finally the group discussed miscellaneous topics: – Ken noted that the Europeans are starting work on bridges; there's a PKI meeting March 12–13 in Amsterdam. – Ken also noted that Bill Doster has produced a good list of "we could put KX.509 into production if we didn't have to worry about..." items. – Jim has heard that the latest SSH.com version of SSH supports cert–based authentication. [AI] Eric will look into possible SSH.com support for cert–based authentication. – Also, [AI] Eric will help Annie and Carrie at Wisconsin go through the HEPKI demo and get certs installed in their browsers.
Action Items

* [AI] 2–January – Ken will follow up with the people responsible for testing the fix proposed for the L–Soft signed messages problem.
* [AI] 2–January – Eric will look into possible SSH.com support for cert–based authentication.
* [AI] 2–January – Eric will help Annie and Carrie at Wisconsin go through the HEPKI demo and get certs installed in their browsers.
* [AI] 19–December – Eric will ask Scott Fullerton to test opaque signatures on the TAG list.
* [AI] 19–December – Ken will ask HEPKI–PAG for input on where to seek legal review of the draft PKI Lite combined CP/CPS.
* [AI] 19–December – Jim will check status of action items from November 7 and earlier via email.
* [AI] 19–December – All will review David's "S/MIME needs..." email (Dec. 5, re–sent Dec. 19) for discussion on the next call.
* [AI] 19–December – Judith will draft a scenario for using S/MIME for homework submission.
* [AI] 19–December – Ken will draft a CFP for an experimental approach to deploying PKI Lite S/MIME.
* [AI] 5–December – Eric will continue investigating listproc's performance with Eudora/Tumbleweed signed messages.
* [AI] 5–December – Jim will get part of the PKI Lite site set up for test results.
* [AI] 5–December – All will send Jim their institutional root certs for the root cert downloader and client authentication demo on pkidev.internet2.edu.
* [AI] 5–December – Jeff will have lawyers at MIT review the legal language in the draft CPS template.
* [AI] 5–December – Jeff will copyedit the draft CPS template and send the revised version to the list.
* [AI] 5–December – Ed will read the SACRED requirements document; if this leads him to think that SACRED should be kept going, he will investigate further.
* [AI] 5–December – Ed will find out more about Dartmouth's timesheet–signing application, for discussion on the next call.
* [AI] 5–December – Keith will point Wisconsin's deputy CIO to the posted draft CPS template.
* [AI] 5–December – Keith will try to interest one of his colleagues at Wisconsin in working with TAG on serial signatures.
* [AI] 7–November – Ed will send the list information on products that use the IBM 4758.
* [AI] 7–November – Eric and Jim will discuss next steps for getting the demo cert issuer onto the Internet2 demo machine.
* [AI] 24–October – All will review Ed's October 19 mail on CP information in the TrustID certs being used for HEBCA.
* [AI] 26–September – Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.
* [AI] 26–September – Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN– and institution–signed user certs to use on the demo site to practice following chains.
* [AI] 26–September – Jeff will look into getting user certs from MIT for the demo site.
* [AI] 26–September – Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.
* [AI] 29–August – Renee will look into what policies Internet2 is considering for software distributions.
* [AI] 29–August – All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.
* [AI] 1–August – Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
* [AI] 6–June – All will send Jim links to information on their campus PKI work, for the TAG web site.