Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

February 27, 2002
Attendees

* Jim Jokl (chair) - Virginia
* Neal McBurnett - Internet2
* Bob Brentrup - Dartmouth
* Chris Misra - Massachusetts
* Eric Norman - Wisconsin
* Judith Boettcher - CREN
* Deb Crocker - Alabama
* Ellen Vaughan - Internet2
* Bill Doster - Michigan
* Ken Klingenstein - Colorado/Internet2
* Michelle Gildea - CREN
* David Wasley - UCOP
* Jeff Schiller - MIT/CREN
* Bob Morgan - Washington
* Ben Chinowsky (scribe) - Internet2

Discussion

The minutes of the last meeting were corrected and approved. The group reviewed action items:

* [13-February - Judith will check with Michelle on the status of the Tumbleweed plugin.] - Still to do.
* [13-February - Jim will find out what cert store the SSH.com client uses.] - Still to do.
* [13-February - Jim and Deb will draft a letter to SSH.com, to be signed by as many representatives of higher education as possible, asking that the support for cert-based authentication now present in their commercial version be added to both the server and the client in their free version.] - Still to do.
* [13-February - Eric will send out a URL for documentation of iPlanet's and Microsoft's recommendations about certificate extensions and criticality.] - Done; see http://docs.iplanet.com/docs/manuals/cms/42sp2/plugin_guide/app_ext.htm .
* [30-January - Jim to send out merged policy/practices document for review.] Jim has sent the document to MACE; change to [AI] Jim will work with MACE to find more reviewers for the PKI Lite CP/CPS.

Noting that KX.509 is being packaged as part of NMI Release 1.0 (part of this task is figuring out how to make it work with the Globus Toolkit), as well as being made available as a standalone utility, Ken asked the group for its thoughts on how campus KCAs should fit in with other campus CAs. It appears that leading Grid projects such as NEES and GriPhyN are planning to deploy their own KCAs, one KCA per project per campus, meaning that a single campus might have several KCAs. Michigan, Virginia, and Minnesota each have a CREN-signed root cert that covers the whole campus, and which is in turn used to certify other services. There was general agreement that this approach is preferable to having CREN certify the KCAs directly. Michigan has documented its experience in this area;

[AI] Bill and Ken will pursue getting Michigan's KCA documentation into NMI Release 1.0. Eric suggested calling more attention to KX.509's PKCS#11 module, which lets Netscape browsers use the Microsoft CryptoAPI, thereby enabling them to share a cert store with Internet Explorer.

Ken also asked for volunteers to test the KX.509 client on Solaris; Bill noted that the KX.509 group is particularly interested in testing the client install instructions. [AI] All who can help test the KX.509 client on Solaris will contact Bill or Ken.

The group reviewed PKI Lite S/MIME project documents. [AI] Jim will a) incorporate some of David's suggested changes to the PKI Lite cert profiles; b) in the end-entity profile, add a little more explanation of why 512-bit keys are sometimes permissible; and c) in 1.a.3 and 1.b.3 of the Experiment Requirements document, clarify what's meant by "based on". Concern was expressed that the S/MIME clients table is becoming big and unwieldy; Bill pointed out that the purpose of the table is to organize all relevant information so as to find out what clients can interoperate, then on that basis shrink the table down again.

Jeff expressed discomfort with the obstacles to cert issuance involved in using CREN certs in Phase 2 of the project, as described in the Experiment Requirements document. He observed that "We keep making the same mistake: putting up barriers to the adoption of this technology." Jeff strongly urged the group to make certs as easy to get as possible, a la Black Helicopter; in particular, he recommended that no face-to-face interaction be required to get a cert. This means not rushing into Phase 2; Judith agreed that TAG may be getting ahead of itself in planning for Phase 2.
Action Items

1. [AI] 27-February - Jim will work with MACE to find more reviewers for the PKI Lite CP/CPS.
2. [AI] 27-February - Bill and Ken will pursue getting Michigan's KCA documentation into NMI Release 1.0.
3. [AI] 27-February - All who can help test the KX.509 client on Solaris will contact Bill or Ken.
4. [AI] 27-February - Jim will a) incorporate some of David's suggested changes to the PKI Lite cert profiles; b) in the end-entity profile, add a little more explanation of why 512-bit keys are sometimes permissible; and c) in 1.a.3 and 1.b.3 of the Experiment Requirements document, clarify what's meant by "based on".
5. [AI] 13-February - Judith will check with Michelle on the status of the Tumbleweed plugin.
6. [AI] 13-February - Jim will find out what cert store the SSH.com client uses.
7. [AI] 13-February - Jim and Deb will draft a letter to SSH.com, to be signed by as many representatives of higher education as possible, asking that the support for cert-based authentication now present in their commercial version be added to both the server and the client in their free version.
8. [AI] 13-February - All will review the updated PKI Lite S/MIME requirements document and send comments to the list.
9. [AI] 13-February - Updates to the planned S/MIME clients table http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-smime-clients-3.html a) Jim will ask Ed if he will work on Netscape Messenger column b) Neal will work on Mozilla, putting all the information in one column and noting any Unix/Windows differences c) Michelle will look at Outlook 2000 d) Eric will look at Eudora/Tumbleweed e) Jim will try to recruit further contributors to the table
10. [AI] 16-January - Bob Morgan and Eric will try to find out if anyone is planning to add S/MIME to pine.
11. [AI] 2-January - Ken will follow up with the people responsible for testing the fix proposed for the L-Soft signed messages problem.
12. [AI] 19-December - Judith will draft a scenario for using S/MIME for homework submission.
13. [AI] 5-December - Jeff will have lawyers at MIT review the legal language in the draft CPS template.
14. [AI] 5-December - Ed will find out more about Dartmouth's timesheet-signing application, for discussion on the next call.
15. [AI] 5-December - Keith will point Wisconsin's deputy CIO to the posted draft CPS template.
16. [AI] 10-September - Eric will a) investigate and document a problem that Ed has encountered with using PKIUser objects to get certs from LDAP directories (what the user sees in the retrieved cert is only a fingerprint, not cert details), and b) send the list information on his experience with cert retrieval using Internet Explorer.