HEPKI-TAG - January 24, 2007

*HEPKI-TAG Conference Call*
January 24, 2007

*Attendees*
Jim Jokl (chair) - Virginia
Eric Norman - Wisconsin
Nathan Faut - KPMG
Neal McBurnett - Internet2
Ben Chinowsky (scribe) - Internet2

*Action Items*(from previous calls)
[AI] David will send out a URL for Michael Sessa's work on digitally-signed XML transcripts.
[AI] Eric will experiment with delivery and trust of root and intermediate certs via the web in Mozilla-family browsers.
[AI] Jim will incorporate Scott's digsig-tools information into the HEPKI-TAG web site.
[AI] David will follow up on SAFE's open-source signing work.
[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.
[AI] Jim will get an OID for PKI Lite from MACE.
[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.

*Discussion*

The group discussed the Extended Validation (EV) certificates being put forward by the CA/Browser Forum (http://www.cabforum.org/) to stop phishing. Eric noted that there are few financial institutions among the CA/B Forum participants (http://www.cabforum.org/forum.html), which is worrisome, as these are the organizations most affected by phishing. Apple is also absent.

Eric noted that from a user standpoint, the basic idea is that the browser will signal that the certificate holder is a legitimate business by displaying a green address bar. For self-signed or non-EV certs, the address bar will remain its usual color. VeriSign has proposed certifying logos, and having the address bar display them as well. Eric suggested that logos have the same problem as domain names -- there aren't enough good ones to go around -- and cited the example of the University of Wisconsin suing high schools with logos similar to its own. Neal observed that more legal protection is available for logos than for domain names. There have been complaints that only large businesses will be able to afford having their logos certified.

VeriSign has a step-by-step procedure for obtaining an EV cert at http://www.verisign.com/support/ssl-certificates-support/extended-validation/