Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

June 20, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Steve Worona - EDUCAUSE
* Keith Hazelton - Wisconsin
* Judith Boettcher - CREN
* Deb Crocker - Alabama
* Eric Norman - Wisconsin
* Bob Morgan - Washington
* Michael Gettes - Georgetown
* Chris Misra - Massachusetts
* Renee Frost - Michigan/Internet2
* Ellen Vaughan - Internet2
* Michelle Gildea - CREN
* Ken Klingenstein - Colorado/Internet2
* Ed Feustel - Dartmouth
* Jeff Schiller - MIT/CREN
* Bill Doster - Michigan
* Ben Chinowsky (scribe) - Internet2

Discussion

The meeting opened with miscellaneous items. [AI] Judith will update the information on the CREN pilot schools on the CREN web site. Ken noted that H. Morrow Long is building a Win2K-based PKI at Yale. Ed exhorted the group to keep on the task of information gathering. Ed also called the group's attention to Groove (www.groove.net), an information-sharing system that has a built-in PKI; Bob noted that Groove's founder was the principal architect of Lotus Notes. Ed described Groove as "not perfect by any means", in particular noting that it lacks fine-grained authorization ("if you get in, you can do darn near anything"); on the other hand, he cited Groove as a model in that it makes PKI transparent to the user.

The group reviewed the action items from the last call:

[Jim will ask Judith Boettcher if CREN will require that institutions be able to revoke their own certs.] Judith said that CREN will provide CRLs for campus-issued certs signed with a cert issued by CREN. She also noted that the draft campus CP requires CRLs even at the Rudimentary assurance level. Subordinate policies, such as CPSes, will inherit the CREN policy, while providing room for customization; [AI] Judith and Ed will work on an example of how things should be divided up between a campus's CP and its CPS.

[Ed will send Jim mail about resolving the Outlook no-signing-without-encryption issue.] Still to do.

[All will send Jim links to information on their campus PKI work, for the TAG web site.] Still to do.

[All PKI Lite participants will send Ed their email addresses and phone numbers.] and [Ed will compile a PKI Lite contact list and send it to TAG.] were not accomplished; they were corrected and combined into: [AI] All will send Ed a brief description of their campus PKI work, along with the name, email, and phone number of a contact person for that work; Ed will compile a contact list and send it to TAG.

The group reviewed the June 18-19 Ed/Fed meetings, which were devoted mostly to general information sharing, HEBCA, and the NIH PKI proposal. The GSA is running the Federal bridge, while contracting the technical aspects out to Mitretek; the official ribbon-cutting is scheduled for next week. Michael noted that Baltimore is having serious problems; he expects Spyrus to be involved in the Federal bridge work by the end of the year. Keith gave an overview of the NIH PKI proposal; phase one is for NIH to provide trust ID certs to three participating universities. Ed asked if, when the time comes for HEBCA to implement attribute certs, each campus will need to provide an attribute cert of its own peculiar variety; Keith answered yes, and acknowledged that this is "a can of worms".

The discussion then turned to PKI Lite. After reaffirming its earlier decision to pursue signed-but-not-encrypted email as a driving application, TAG revisited the question of also pursuing web authentication. Jeff spoke in favor, arguing that web authentication is much easier than signed email, and should be taken up first. Bob asked why, given MIT's success, campuses were continuing to invent their own web-login schemes, and Keith described this as "*the* question". This led to a discussion of the extent to which MIT should be considered exceptional as a site for PKI deployment. On the one hand, it was argued that MIT students and faculty are a cut above those elsewhere; that the culture at MIT is such that if someone can't get a new technology to work, it's their own fault; that MIT has an unusual amount of distributed-systems experience; that Athena deals well with the problem of mobility; and that Jeff has provided exceptionally strong leadership. On the other hand, Judith and Michelle noted that in CREN's experience users don't find it hard to use certs for web authentication, and Jeff asserted that "To be honest with you, it *is* easy. It really is." Jeff also observed that MIT's administrative assistants are no better than those at other schools, and they use certs for web authentication. Michelle suggested that universities use certs to control access to music, games, and/or conveniences ("students will do anything if it means they won't have to walk through the snow to print their papers"); alluding to Napster, Judith observed that "if we'd tried to teach them how to use peer-to-peer networking, they'd never have done it."

After briefly considering the possibility of doing web authentication instead of signed-but-not-encrypted email, TAG agreed to do both. [AI] Eric will create a demo web site that issues end-entity certs and lets the user test the certs by using them to authenticate to a web page. Jeff called the group's attention to http://jis.mit.edu/bh/, a site he's set up to provide certs via email and HTTPS. Keith advised the group to watch http://www.cs.wisc.edu/pkilab/ for reports on the Wisconsin PKI Lab's Department of Family Medicine email security project, which is similar to the mail half of PKI Lite.

Finally the group assigned a few miscellaneous action items. [AI] Keith will investigate and report on the failure of his Messenger 4.7.5 to send back encrypted mail even after receiving a cert. [AI] All who are planning to participate in the mail half of PKI Lite will get their mail clients working and send a signed message to the TAG list. [AI] All will provide Jim feedback on the prototype TAG web site (http://middleware.internet2.edu/hepki-tag/) by Wed. June 27, with a view to getting the site ready to link in by Fri. June 29.
Action Items

* [AI] 20-June-2001 - Judith will update the information on the CREN pilot schools on the CREN web site.
* [AI] 20-June-2001 - Judith and Ed will work on an example of how things should be divided up between a campus's CP and its CPS.
* [AI] 20-June-2001 - All will send Ed a brief description of their campus PKI work, along with the name, email, and phone number of a contact person for that work; Ed will compile a contact list and send it to TAG.
* [AI] 20-June-2001 - Eric will create a demo web site that issues end-entity certs and lets the user test the certs by using them to authenticate to a web page.
* [AI] 20-June-2001 - Keith will investigate and report on the failure of his Messenger 4.7.5 to send back encrypted mail even after receiving a cert.
* [AI] 20-June-2001 - All who are planning to participate in the mail half of PKI Lite will get their mail clients working and send a signed message to the TAG list.
* [AI] 20-June-2001 - All will provide Jim feedback on the prototype TAG web site (http://middleware.internet2.edu/hepki-tag/) by Wed. June 27, with a view to getting the site ready to link in by Fri. June 29.
* [AI] 6-June-2001 - All will send Jim links to information on their campus PKI work, for the TAG web site.
* [AI] 6-June-2001 - Ed will send Jim mail about resolving the Outlook no-signing-without-encryption issue.
* [AI] 23-May-2001 - All will review Jeff's private-key-protection document and send comments to Jeff.