Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

September 25, 2002
Attendees

* Jim Jokl, Virginia
* Steve Worona, Educause
* Deb Crocker, Alabama
* Jeff Schiller, MIT
* Bob Morgan, U. Washington
* Judith Boettcher, CREN
* Eric Norman, Wisconsin
* Michelle Gildea, CREN
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2

Discussion

Signed objects discussion. In the context where a user employs their normal end-to-end cert to sign a temp cert, there is a question of whether or not that breaks the rules if you generalize the case. If you sign an object and it delegates authority on your behalf is this ok? The general agreement of the group is that it's reasonable. It is questionable in the grid context. Using an end user cert without a CA bit, then using that to sign another X.509 cert and use it on the users behalf technically violates strict hierarchical CA. It is a matter of how the software is written. Normal software will break, as it should, if CA is false and the end entity cert is used to sign another cert. Other software could conceivable be coded to accept it. If CA set to true on what we think of as an end entity cert will it break any software? The answer is: Not sure, which could imply something is not correct in design.

If a user want to use something that looks like an X.509 do we care? If you have CA = true in a cert you issue to a user, that implies they are a CA trusted by you in some form. All that someone is asserting by presenting that cert is that they are who someone else says they are. Do you need to be concerned whether they've been authorized to sign other certs? There wouldn't be any reason why you don't want users to sign X.509 certs. They control what's in the cert and all they are doing is attesting that they are the individual who signed it.

Proxy Certs: Suppose there is an attempt to delegate them to yourself or your agents. Why can't one of your agents be another user? The idea of end entity is that I as the end user can't file a cert for someone else because that implies trust all the way up. If I as the end entity want to delegate part of my personal responsibility for someone else why shouldn't I be able to issue a cert to this person to work on my behalf if I need to delegate that with a cert? The question of who cares depends on the software of the relying party and if it is programmed to accept those kinds of proxy certs. The software would have to be designed to specifically accept that delegation case since normal software would break. If it's a capability we want to have then the standards body needs to address it at some future point. Group consensus: track and monitor the issue.

Hardware Tokens: More volunteers are needed to take a token and go through the evaluation list. No new volunteers at this time. Jim will distribute which tokens need a volunteer via the list.

Outlook/Outlook Express Document: Jim has provided a copy of the document version previous the directory section to Microsoft. Paul noted that when the final document is ready he will submit it under the MIT contract where it can be tracked. Jim will circulate final version for approval.

Generic signing document: Volunteers are needed to help with sections on document signing and web forms. Neal and Jim will do an introduction on some of the problems with active content. Jill is working with the office XP piece. Jim is taking the Adobe and Pro sign. Jim will check with David about info on what UCOP is working on with web forms. More volunteers are needed for sections not yet assigned and to help pull the document together.

Updates to the S/MIME table on browsers. Getting feedback that just having Netscape and Mozilla as generic columns is not enough given all the releases. Consensus is that there needs to be clarification. If we've tested the browsers and know they meet the criteria then having one column that documents that is needed. Neal agreed to participate. Judith will check on information about the next release of the Opera Browser (7.0). 7.1 will be out by the end of the year and will include an e-mail functionality with S/MIME support.

Downloading root certificates in IE: As discussed in previous calls IE can be confusing to users to download root certificates. When downloading a file with the right mime types, the wizard can produce several confusing pop-ups. An alternate method uses the same Active X control that you use to receive your personal certificate. If you have to old version of the Active X control you get a single pop-up. If you downloaded the Microsoft security fix for Active X, you get two pop-ups at the default security setting (higher security setting means more pop-ups). This is easier than using the wizard and going through the install process Jim will write this up and put on the web site.

Finally there was a discussion of the NMI effort and our participation/contributions. Since the question of using proxy certs as defined is being laid in front of us, as a group we should consider writing up issues, and perhaps eventually a conclusion about implementation of proxy certs. In particular consider the proxy technology as implemented in Globus and whether that is deployable on campuses and if the benefits of it are worth doing. If the conclusion is that it is worth doing then the question of the technology to use must also be considered. Bob Morgan is in the process of writing up some comments.

The next call is Wednesday October, 9 2002.