Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

October 24, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Chris Misra - Massachusetts
* Bob Morgan - Washington
* Eric Norman - Wisconsin
* Deb Crocker - Alabama
* Michelle Gildea - CREN
* Bob Brentrup - Dartmouth
* Bill Doster - Michigan
* Renee Frost - Michigan/Internet2
* David Wasley - UCOP
* Steve Worona - EDUCAUSE
* Ken Klingenstein - Colorado/Internet2
* Neal McBurnett
* Jeff Schiller - MIT/CREN
* Ed Feustel - Dartmouth
* Ben Chinowsky (scribe) - Internet2

Discussion

The minutes of the previous meeting were approved without changes. The group reviewed action items:

* [10-October - Jim will make Eric an account on the Internet2 demo machine so that Eric can set up the cert issuer.] Done.
* [10-October - All will send Ken questions for Sun on using certs with S/MIME clients.] Ongoing.
* [10-October - Jim will check status of action items from August 29 and earlier via email.] In process.
* [10-October - Jim will revise the PKI Lite cert profile and cert policy.] Done.
* [10-October - Jeff will draft a CPS template for PKI Lite.] Still to do.
* [26-September - Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.] In process.
* [26-September - Ed will send out the URL for the CREN framework document.] Done; Ed was referring to the CREN TechTalks archive: http://www.cren.net/know/techtalk/archives.html.
* [26-September - Eric will put his demo cert issuer on the Internet2 demo machine.] In process. Eric needs some changes made on the server before he can do this; Jim is continuing in the sysadmin role for the demo machine.
* [26-September - Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN- and institution-signed user certs to use on the demo site to practice following chains.] In process.
* [26-September - Jeff will look into getting user certs from MIT for the demo site.] In process.
* [26-September - Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.] Ongoing. Eric outlined a problem that came up in HEBCA testing; [AI] Eric will send the list information on the Outlook/L-Soft signed mail problem and some possible ways to get around it.
* [29-August - Renee will look into what policies Internet2 is considering for software distributions.] In process.
* [29-August - All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.] Ongoing.
* [1-August - Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.] In process. Ed noted that HEBCA requires policy OIDs but doesn't require mapping, and Ken suggested that it may soon be time for HEPKI to dust off the draft HEBCA CP at http://middleware.internet2.edu/certpolicies/.
* [6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.] Ongoing.
* [23-May - All will review Jeff's private-key-protection document and send comments to Jeff.] This project has morphed into a CREN FAQ on Hardware Security Modules; see http://www.cren.net/crenca/onepagers/hsm.html. The two main vendors in this area appear to be http://www.chrysalis-its.com/ and http://www.ncipher.com/. Ed pointed the group to an article in IEEE Computer co-authored by Sean Smith of the Dartmouth PKI Lab: Dyer, Lindemann, Perez, Sailer, Van Doorn, Smith, & Weingart, "Building the IBM 4758 Secure Coprocessor", IEEE Computer Magazine, October 2001.

TAG discussed a potential FERPA problem with PKI Lite: if an email address is included in the Subject field, as required for S/MIME, how can the certs be anonymous, as required for web authentication and access to online resources? Ed argued that "we shouldn't declare that these certs are totally anonymous, because they're not", and noted that the question of whether certs will be issued more like ID cards (stronger identification) or more like email accounts (weaker identification) is a big one for JSTOR. Bob M. asserted that "Lite implies non-privacy-preserving." Multiple CAs and multiple cert profiles were suggested, but there seemed to be more interest in Ken's proposal that PKI Lite have only one cert profile, but specify that PKI Lite's inter-domain use be limited to S/MIME; web authentication and access to resources would still be supported, but only intra-domain. [AI] Ken will ask HEPKI-PAG to develop scenarios for Steve Worona to take to the Department of Education for FERPA compliance checking.

There was a short discussion of who TAG should get to review the CPS and the CP; suggestions included lawyers, vendors, prospective PKI Lite relying parties, PKIX, the PKI Labs Advisory Board, and various CREN, EDUCAUSE and Internet2 lists. There was a marked division of opinion between those inclined to solicit a variety of opinions and those who were concerned that this would lead to making PKI Lite heavy.

TAG discussed the issue of how to specify affiliation in certs. Ed suggested following the methodology of the DLF architecture, and Bob M. noted that the DLF's approach is essentially the same as Shibboleth's. [AI] Ed will find TAG a reference on the DLF X.509 extension used to specify what application a cert is intended for. Michelle suggested using separate certs for students, faculty, etc.; Bill characterized this as "shoveling the inconvenience onto the end user". Ed suggested including an "affiliation status" in the certs, acknowledging that this requires frequent cert revocation as individuals' affiliations change; Bob M. emphasized that this drawback is a prohibitive one. Ed suggested that TAG seek JSTOR's opinion, and Bob B. noted that JSTOR has defined an extension for affiliation. [AI] Michelle will ask JSTOR for their thoughts on how to specify affiliation in certs.

Ed gave a short HEBCA update. The first phase of testing -- sending documents and verifying signatures -- has been successfully completed; the second phase -- using the bridge -- starts tomorrow. It looks like a wide range of institutions will participate, including UT-Houston. [AI] All will review Ed's October 19 mail on CP information in the TrustID certs being used for HEBCA.

Finally TAG took up S/MIME issues. Jeff is working on a novel solution to the problem of key recovery for encrypted mail. Private keys will be stored centrally, but protected by Kerberos. Only half of the secret key that protects the keystore will be retained by the CA; the other half will be provided to the user, who will be instructed to print it and keep it in a safe place. In the event that the encryption cert is lost, the user and the CA together will be able to unlock the keystore. Jeff also noted that one problem with using a secure coprocessor is that you need a way to regenerate the key if the hardware gets damaged, for instance, in a situation where law enforcement officers, told that the secret they need is in the box, take the box. Eric suggested that TAG work to develop a mailing list system that requires S/MIME postings; majordomo, GNU mailman and shibboleth (not the same project as Internet2's Shibboleth) were suggested as contexts in which to pursue this.
Action Items

* [AI] 24-October - Eric will send the list information on the Outlook/L-Soft signed mail problem and some possible ways to get around it. [Done 10/28]
* [AI] 24-October - Ed will send the list a reference to an IEEE Computer article on the IBM 4758 Secure Coprocessor. [Done 10/27]
* [AI] 24-October - Ken will ask HEPKI-PAG to develop scenarios for Steve Worona to take to the Department of Education for FERPA compliance checking. [Done]
* [AI] 24-October - Ed will find TAG a reference on the DLF X.509 extension used to specify what application a cert is intended for.
* [AI] 24-October - Michelle will ask JSTOR for their thoughts on how to specify affiliation in certs.
* [AI] 24-October - All will review Ed's October 19 mail on CP information in the TrustID certs being used for HEBCA.
* [AI] 10-October - All will send Ken questions for Sun on using certs with S/MIME clients.
* [AI] 10-October - Jim will check status of action items from August 29 and earlier via email.
* [AI] 10-October - Jeff will draft a CPS template for PKI Lite.
* [AI] 26-September - Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.
* [AI] 26-September - Eric will put his demo cert issuer on the Internet2 demo machine.
* [AI] 26-September - Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN- and institution-signed user certs to use on the demo site to practice following chains.
* [AI] 26-September - Jeff will look into getting user certs from MIT for the demo site.
* [AI] 26-September - Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.
* [AI] 29-August - Renee will look into what policies Internet2 is considering for software distributions.
* [AI] 29-August - All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.
* [AI] 1-August - Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
* [AI] 6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.