Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

March 23, 2005
Attendees

* Jim Jokl (chair) - Virginia
* Renee Frost - Michigan/Internet2
* Mark Franklin - Dartmouth
* Nick Lewis - Internet2
* Neal McBurnett - Internet2
* Eric Norman - Wisconsin
* Shelley Henderson - USC
* David Wasley - independent
* Ken Klingenstein - Colorado/Internet2
* Ben Chinowsky (scribe) - Internet2

Discussion

The group approved Jim's March 22 changes to the PKI-Lite end-entity and CA cert profiles, and asked Jim to make two further changes:

* make the AKI language in the end-entity profile more specific to end-entity certs, and make the AKI language in the CA profile more specific to CAcerts.
* in the end-entity profile, recommend that basicConstraints be included, and require that it be marked critical if it is included.

[AI] All will review the Acknowledgements section of http://middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices-current.html and send Jim any additions.

The group reviewed the list of questions about document-signing tools from the March 9 minutes. David noted that item 4 refers to the ability to verify once and log, so you don't have to archive the certs, and item 9 refers to forms routing support, e.g. countersigning requirements. David also noted two other issues:

* date-stamping (the Post Office is offering this service now -- send them a Word document and they'll give it an electronic postmark)
* crypto systems built into OSes -- it may not always be obvious which crypto system a tool is using.

[AI] Jim will clarify items 4 and 9 in the list of questions about document-signing tools, and add items on date-stamping and OS crypto. [AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing.html in the light of these questions. Jim has been looking at E-Lock DeskSeal; he noted that for now the idea is to test the list of questions, not the tools themselves.

Eric called the group's attention to an email security add-on product called Ciphire (https://www.ciphirebeta.com/). Its main feature is a system for distributing trusted fingerprints. Ciphire appears to be free for educational use.

The group discussed the issue of password caching. Eric observed that PKCS11 includes the ability to make the user keep re-entering the password; Neal said that Windows includes a similar facility. Mark noted that Dartmouth is pursuing a script-based approach to this issue. Ken noted that the Feds are looking for input on how to deal with password caching.

Finally, David raised an interesting question: if Entrust and Verisign are both cross-certified with the FBCA, can one now verify the other? No one knew the answer, but Jim suggested that several problems could be solved by such a capability.
Action Items
New

* [AI] All will review the Acknowledgements section of http://middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices-current.html and send Jim any additions.
* [AI] Jim will clarify items 4 and 9 in the list of questions about document-signing tools, and add items on date-stamping and OS crypto.
* [AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing.html in the light of these questions.

From previous calls

* [AI] Jim will follow up on a real-world Acrobat signing app he's heard of.
* [AI] Shelley will ask her sysadmins list for information on applications using any of the tools on Jim's list.
* [AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.
* [AI] All will send suggestions for presentations at the PKI deployment summit to Mark Franklin (Mark.J.Franklin@Dartmouth.EDU) and Steve Worona (sworona@educause.edu).
* [AI] Jeff will send Jim a Mutt column for the TAG S/MIME table.
* [AI] All will send Jim further suggestions for TAG projects.
* [AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.
* [AI] Eric will look for pointers on getting Mozilla to recognize trust anchors on tokens.
* [AI] Eric will review his Top 10 lists to see if they're ready to be added to the TAG web site.