Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

November 21, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Ed Feustel - Dartmouth
* Michelle Gildea - CREN
* David Wasley - UCOP
* Eric Norman - Wisconsin
* Steve Worona - EDUCAUSE
* Ken Klingenstein - Colorado/Internet2
* Judith Boettcher - CREN
* Chris Misra - Massachusetts
* Renee Frost - Michigan/Internet2
* Michael Gettes - Georgetown
* Bob Morgan - Washington
* Ben Chinowsky (scribe) - Internet2

Discussion

The minutes of the previous meeting were approved without changes. The group reviewed some of its outstanding action items:

* [7-November - Jim will poll the TAG list about a new meeting time.] Still to do.
* [7-November - Eric will send a signed message to the TAG list to find out if listproc has the same problem with signed mail as does L-Soft.] Done; listproc does not appear to have the problem. [AI] Eric will repeat his listproc experiment with a message that contains trailing spaces.
* [7-November - Ed will send the list information on products that use the IBM 4758.] Still to do.
* [7-November - Eric and Jim will discuss next steps for getting the demo cert issuer onto the Internet2 demo machine.] In process.
* [7-November - Ed will send the list a) URLs on Netscape's work on S/MIME for Mozilla and b) the suggestions he has sent Netscape regarding this work.] Done; see Ed's November 8 messages to the TAG list. Ed noted that Netscape had ignored his question about whether Mozilla would let the user choose whether to store mail encrypted or unencrypted. This led to a short discussion of assorted archiving and nonrepudiation issues. Bob summarized: "It sounds like 'signed email' is not a precise enough description to answer all the interesting questions about archiving and nonrepudiation." Ken suggested that, as a first step toward building a business case for PKI Lite, the group produce a more precise definition of the S/MIME capabilities it is trying to enable, and shop it around to the CIOs of potential participant campuses; there was general agreement. [AI] Ken will send the list v0.01 of a list of use scenarios for PKI Lite S/MIME.
* [7-November - All will read Ed's documents on S/MIME for Mozilla, in preparation for a discussion on the next call of TAG possibly making recommendations to Netscape.] Done.
* [7-November - Steve will work the following question into a scenario for the Department of Education: If students are informed that inter-domain use of a PKI Lite cert is similar to showing an ID card off campus, and on-campus alternatives are provided for students who opt out of using the cert, is that enough to meet FERPA requirements?] Done; Steve is hoping to get an answer by the end of the year.
* [7-November - Jim will draft a request for feedback on the draft PKI Lite cert profile, including an explanation of the possibility of having to create separate profiles for S/MIME and web authentication; all will review in preparation for discussion on the next call.] Done; see Jim's mail of November 21. [AI] All will review Jim's draft request for feedback on the draft PKI Lite cert profile, in preparation for discussion on the next call.
* [7-November - Jim will set up a minimal web authentication demo on the Internet2 demo machine.] Done; see http://pkidev.internet2.edu.
* [24-October - Ed will find TAG a reference on the DLF X.509 extension used to specify what application a cert is intended for.] Done; see http://www.diglib.org/architectures/digcert.htm.
* [10-October - Jeff will draft a CPS template for PKI Lite.] [AI] Jim will ping Jeff re status of the draft CPS template.

TAG discussed possible uses for PKI Lite web authentication; suggestions included authentication to web-based email systems, single sign on, SSH ([AI] Bob will send the list a URL for Globus work on using certs with SSH), communications with campus health centers, student elections, student access to grades and transcripts, authentication to portals, and homework submission. Jim noted that he's hoping to find something both common and interdomain. Bob noted that the WebISO group wants to add public-key authentication to PubCookie ("purists won't like it, but it could be a good transitional approach"); anyone who wants to help is welcome. Jim suggested that PKI Lite use its S/MIME deployment to build up interest, then add web authentication later; Michael noted that the FBCA has focused on email because a) people are already using it and want to make it secure, and b) it builds experience that can then be used for authentication. [AI] Jim will send the list v0.01 of a list of use scenarios for PKI Lite web authentication, to be discussed in parallel with Ken's S/MIME scenarios.

Finally, Michael called the group's attention to the Leeds User Registration & Certificate Issuing System (LURCIS). LURCIS is about "how to do cert and key distribution on the cheap"; the project's lead investigator is interested in international collaboration and open-sourcing the code. See http://www.personal.leeds.ac.uk/~ecldh/lurcis/.
Action Items

* [AI] 21-November - Eric will repeat his listproc experiment with a message that contains trailing spaces.
* [AI] 21-November - Ken will send the list v0.01 of a list of use scenarios for PKI Lite S/MIME.
* [AI] 21-November - All will review Jim's draft request for feedback on the draft PKI Lite cert profile, in preparation for discussion on the next call.
* [AI] 21-November - Jim will ping Jeff re status of the draft CPS template.
* [AI] 21-November - Bob will send the list a URL for Globus work on using certs with SSH.
* [AI] 21-November - Jim will send the list v0.01 of a list of use scenarios for PKI Lite web authentication, to be discussed in parallel with Ken's S/MIME scenarios.
* [AI] 7-November - Jim will poll the TAG list about a new meeting time.
* [AI] 7-November - Ed will send the list information on products that use the IBM 4758.
* [AI] 7-November - Judith will send the list information from Spencer on DLF's LDAP plans.
* [AI] 7-November - Eric and Jim will discuss next steps for getting the demo cert issuer onto the Internet2 demo machine.
* [AI] 24-October - All will review Ed's October 19 mail on CP information in the TrustID certs being used for HEBCA.
* [AI] 10-October - Jim will check status of action items from August 29 and earlier via email.
* [AI] 10-October - Jeff will draft a CPS template for PKI Lite.
* [AI] 26-September - Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.
* [AI] 26-September - Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN- and institution-signed user certs to use on the demo site to practice following chains.
* [AI] 26-September - Jeff will look into getting user certs from MIT for the demo site.
* [AI] 26-September - Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.
* [AI] 29-August - Renee will look into what policies Internet2 is considering for software distributions.
* [AI] 29-August - All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.
* [AI] 1-August - Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
* [AI] 6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.