Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

October 23, 2002
Attendees

* Jim Jokl, Internet2
* Bob Brentrup, Dartmouth
* Judith Boettcher, CREN
* Neal McBurnett, Internet2
* Eric Norman, Wisconsin
* David Wasley, UCOP
* Bob Morgan, Washington
* Jeanette Fielden, Internet2

Discussion

Neal volunteered to take a look at TinyCA and write a brief discription.

Root certificate download material has been posted to the website.

Bridge Testing Support: Washington has the cross certificate in place but is not sure if the registry directories are hooked up. Eric has a machine running at Wisconsin and believes he can issue certificates. The next step is to try issuing and testing basic certificates. Certificates will need be issued to volunteers who will work on bridge testing. Jim will e-mail the list for volunteers and detailed instructions will be sent to those responding.

One goal of the testing is to determine at what level of functionality XP and Java (JDK 1.4) are bridge aware. In terms of XP, most of the PKI functionality for other versions of windows is not in the applications. The hope is the same thing is true in XP and that certificates are stored in the windows cache and validated through the bridge, not chased up the chain. Tests will need to be done for Outlook, IE etc with equivalent tests done for Java.

Outlook S/MIME document: A message will go out to the list asking for last comments on the document. It will then be finalized.

Educause Annual Meeting: There were several PKI sessions with large attendance. A panel with Steve Worona, Claire Goldsmith, and Peter Alterman, presented a report on the bridge and talked about activities to date and future plans. Bob Brentrup discovered at his session that many people have personal certificates though they aren't currently using them for much. The University of Helsinki has an active project going and Virginia Tech has done a signature pilot with a couple of classes. Judith noted that while showing the browser and the announcement about the new CREN release for the root store at CREN booth there is a lot of interest in PKI if not active participation yet. It was a great opportunity to promote what HEPKI is doing.

Discussion: People are interested but there isn't demand for actually doing things yet. Is it because there is an unidentified barrier? The general consensus is that it is a complex set of technologies to implement and there aren't yet enough uses, or mandatory usage, to drive adoption. People aren't sure this is ready for prime time and don't want to commit/ use resources until they know it is. It is an encouraging sign that people are coming to the CREN site to see how it works.

Hardware Tokens: One large issue is: How do you make sure you get the right hardware token in the hands of the right person? What is your distribution process? How do you know the person receiving the credential is the person who should be receiving it? This is an important part of the process.

The certificate practices statement (CPS), the partner document to the CP policy statement, is required to define how an individual is identified at the time they request an issuance of a certificate to them. There are many different ways to do that. If you want a high-reliability identification you can require a person show up before an official of the institution and prove who they are to receive the certificate. Some institutions use a PIN mailed to the person. This is more practical for low assurance certificates distributed to a large population. Different levels of service will have different requirements for issuance. There is no one universal method. Regardless of the issuance method there still remains the issue of how do you keep someone else from using the credential? There's no easy answer to that for most scenarios.

Judith provided an update on the document for issuance of the CREN client certificates. The model is a person on campus will be identified to serve as the registrar for that campus. That person will authorize certificates to be issued to other people on that campus. Judith will forward the document to the group for comments/review. Relevant sections will be highlighted for ease of reading.

The next call is November 6, 2002.