May 23, 2000
* Jim Jokl (chair) - U.
* David Wasley - UCOP
* Keith Hazelton, Eric Norman, others - Wisconsin
* Renee Frost - Internet2
* Neil McBurnett - Lucent
* Russ Yount - CMU
* Steve Kellog and others - Penn State
* Ken Weiss - UCOP
* Ken Klingenstein - Colorado/Internet2
* Ben Chinowsky (scribe) - Internet2
* Several others joined and left the call at various times
Ken K. opened the meeting by announcing a new format for minutes of HEPKI-TAG meetings. The new format will be less a list of who said what when, and more a narrative summary. Ken also solicited opinions on dissemination of the minutes and on how open to make the HEPKI-TAG email list; no decisions were reached. Ken also asked HEPKI-TAG members to contact Renee for list changes, and to send agenda items for conference calls to Jim a few days ahead of time.
The discussion then moved on to a review of ongoing work. Within Educause, net@edu is readying a draft list of elements necessary for a higher-education PKI. Keith Hazelton is aiming to have edu-person v0.9 ready for the the May 30 conference call on this topic.
The group formed last November to coordinate Federal and higher-education PKI efforts is meeting again on June 22. Ken noted that CREN and similar organizations have received a formal letter from the Federal Government CIO council, asking the higher-education community to work on cross-certification, and in particular to bring an (as yet nonexistent) policy document to the table. Ken K. pointed the group to http://csrc.nist.gov/pki/twg for information on fPKI work. [AI] Ken K. will also email HEPKI-TAG with information on both the Government's offer to the higher-education community, and the fPKI work itself. The group noted the great importance of working closely with groups beyond the .edu community, as that community is only a small part of the total market for PKI. Ken K. also took note of some developments in the medical middleware and commercial areas. The California Medical Association has plans to provide certs to every MD in the the state; see www.tunitas.com for more information. In the auto industry, ANX has hit chaining-vs-referrals snags, resulting in a backoff from PKI to IPsec tunneling.
The CREN pilot schools are meeting on June 27 to review the status of their implementations, and on June 28 for a seminar. They are planning to issue short- term certificates to enable institutions to access each other's libraries, relying on CREN to establish trust.
There was a long discussion of university libraries as potential customers for PKI. It was noted that as libraries require "anonymous authentication" -- a near-oxymoron -- they provide a difficult and therefore useful challenge to PKI efforts, though maybe not an ideal first project. At California and Penn State libraries have been important drivers of PKI work.
The ongoing-efforts portion of the meeting closed with a discussion of PKI for university-commercial relations. The group noted that real-world relations of trust -- "how we did it before we had computers" -- can be a useful starting point for designing PKI trust relations in this area.
In the final part of the call, HEPKI-TAG considered several areas of work that it might want to take up in the near future.
First were open-source CA efforts. Wisconsin and Penn State are doing work in this area. [AI] Jim will send the list the URL for the Oscar project, based in Australia. [AI] Eric will send HEPKI-TAG his OpenSSL contact information. The group agreed that there are several important areas of work within OpenCA and that it would likely be necessary to pick and choose among them. Discussion then moved on to commercial solutions. UCOP is moving forward with its relationship with Verisign. Verisign imposes no constraints on Calfornia's Registration Authority; they're just running the technology for the university. There was also a short discussion, to be continued on the Thursday HEPKI-PAG call, of related legal developments in California, Texas and Washington.
Next the group considered certificate portability issues. There was a near- consensus that a change in the basic hardware platform -- adding keyboards with smartcard readers, for instance -- will ultimately be necessary; the quality of such hardware is now poor, but is improving rapidly. However, it might not be widely available for five years or so. [AI] [Anonymous] will contact Sal at California about directories work related to certificate portability. The group agreed to track work in the smartcards area.
The group agreed that it is important to start collecting certificate profiles, with a view to having six or eight of them to compare in hopes of finding the basis for a consensus. http://csrc.nist.gov/pki/twg has the fPKI cert profile. [AI] Ken W. (UCOP) and Keith (Wisconsin) will send Ken K. profiles from their institutions. [AI] Ken K. will contact Andy at Michigan for information on their work with junk certs, and Bob Moskowitz for information on fPKI profile work. [AI] Judith has writeups of CA best practices from Princeton, Georgia Tech, and MIT; she will notify HEPKI-TAG when they are ready to be posted, so that the group can discuss them in the next call. [AI] Jim Jokl will work on a benchmarking survey.
Finally the group discussed testbed projects. It was noted that an important need for researchers is to be able to securely share information that is not yet ready for publication; the Shibboleth project is relevant here. Several other possible testbed projects were discussed, but the group decided that with the exception of Shibboleth, this area should be back-burnered for now, so as not to spread the group too thin.
* Ken will confer with
Jim later this week to review
the minutes, then send them
out to HEPKI-TAG. [AI] The
next call is in two weeks,
on Tuesday June 6, at noon
* Ken K. will also email HEPKI-TAG with information on both the Government's offer to the higher-education community, and the fPKI work itself.
* Jim will send the list the URL for the Oscar project, based in Australia.
* Eric will send HEPKI-TAG his OpenSSL contact information.
* [Anonymous] will contact Sal at California about directories work related to certificate portability.
* Ken W. (UCOP) and Keith (Wisconsin) will send Ken K. profiles from their institutions.
* Ken K. will contact Andy at Michigan for information on their work with junk certs, and Bob Moskowitz for information on fPKI profile work.
* Judith has writeups of CA best practices from Princeton, Georgia Tech, and MIT; she will notify HEPKI-TAG when they are ready to be posted, so that the group can discuss them in the next call.
* Jim Jokl will work on a benchmarking survey.
* Ken will confer with Jim later this week to review the minutes, then send them out to HEPKI-TAG.
* The next call is in two weeks, on Tuesday June 6, at noon EDT.