HEPKI-TAG Conference Call January 25, 2006

*HEPKI-TAG Conference Call*
January 25, 2006

*Action Items*

(new)
[AI] Neal will resend the material on credential assessment that he sent out in September, highlighting the information on European approaches.

[AI] Eric will let TAG know when Ron DiNapoli's work on Aladdin eTokens on Macintosh is available for the group to look at.

[AI] Neal will send out a URL for a document that tells you what to do if you want to use OpenSSL in FIPS mode. (from previous calls)

[AI] All will look at http://www.gridpma.org/ for materials for the CA Audit project to point to or extract from.

[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).

[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.

[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.

[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.

[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.

[AI] Eric will call Mozilla's attention to the fact that they don't support the standards needed to recognize trust anchors on tokens, and nudge them to do something about it.

[AI] Eric will continue seeking feedback on his Top 10 lists, especially from HCISec.

[AI] Jim will get an OID for PKI Lite from MACE.

[AI] Mark will ask Jed Dobson for more information on OSG.

[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.

[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.

[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.

[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.

[AI] All will send Jim further suggestions for TAG projects.

[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.

*Attendees*
Jim Jokl (chair) - Virginia
Eric Norman - Wisconsin
Jeff Schiller - MIT
David Wasley - independent
Nathan Faut - KPMG
John Krienke - Internet2
Neal McBurnett - Internet2
Ben Chinowsky (scribe) - Internet2

*Discussion*

The tentative date to generate USHER root certs is February 21; this is also the go-live date for issuing authority certs. A writeup for the campuses is expected to be ready ahead of Feb. 21. The first PKI-Lite level of assurance will be called "USHER-Foundation". Cert names will all start with "USHER" so they will appear together when displayed in a browser. Jim is continuing to coordinate with Steve Carmody on plans for the USHER launch.

The group discussed the WebTrust audit process, used by Microsoft (see http://www.microsoft.com/technet/archive/security/news/rootcert.mspx) and others. The process involves mapping CPSes and other docs against WebTrust's 170 criteria (see Nathan's January 25 email for a simplified presentation of these criteria). Microsoft also accepts audits of similar value to WebTrust, but the burden of proof of similar value is on the CA that's seeking approval. PKI-Lite does not meet the WebTrust criteria. Nathan suggested the group take a look at how well USHER meets the WebTrust criteria.

Jeff suggested that certificate revocation rather than certificate issuance is the critical technology: a secure CA process would give certs to anyone, but with thorough I&A so you can find out if people are acting in bad faith and revoke their certs. Browsers shouldn't say a cert is good unless it passes up-to-the-minute revocation checking. This wouldn't stop the first victim getting burned, but it would prevent there being any further victims.

It was noted that one major issue is the tension between (on the one hand) a business model that involves large volumes and price competition, and (on the other hand) security requirements that necessitate making certificate issuance painful.

Neal is looking for further information on user-interface issues. He also noted there will be a session on this at the 5th Annual PKI R&D Workshop, which takes place April 4-6 in Gaithersburg, MD. See http://middleware.internet2.edu/pki06/.