August 28, 2002
Attendees

* Jim Jokl, Virginia
* Eric Norman, Wisconsin
* Steve Worona, Educause
* Judith Boettcher, CREN
* Michelle Gildea, CREN
* Jill Gemmill, UAB
* Tamara O'Brien, UW-Madison
* Keith Hazelton, UW - Madison
* Deb Crocker, Alabama
* Chris Misra, Massachusetts
* John Douglass, Georgia Tech
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2

Action Item Updates

* Jim will mail out the S/MIME Issues document for Outlook and Outlook Express today or tomorrow.
* The Eudora plug-in is not yet ready to go. A release date has not been set.
* Office XP digital signatures: The Office XP product (used on Win2K client) allows multiple signatures to be attached to a single document. Unfortunately, only users of Office XP can see these signatures; Office 2000 users can open the documents, but are not aware of the signatures.
* Active content was tested by inserting a date macro into a signed document, and into an unsigned document. When you open the unsigned document, the date macro updates to current date/time; however, the signed document macro becomes "inactive" meaning that when you open the signed document, the date & time remain as they were at the time the document was signed. If you click into the date field, you can "reactivate" the macro but you receive a warning that if you save the change the signature will be thrown away. Additionally, there are too many steps (menu selections & clicks) needed to get to the place where you actually sign documents or review signatures. The only indication the document is signed is the word (signed) in the document title bar. The software allows you to create your own digital certificate.
* The pilot for certs is ready to expand to a greater number of participants to continue debugging/testing.

Discussion

There is a desire to try to capture information from what large universities have done with campus root cert distribution. Has anyone else had the kind of success Columbia has had in getting people to download its root cert? What we can learn about how they got such a high rate of response? MIT has also done quite a bit and Dartmouth is fairly far along. The need is for some way to get the root cert into all the browsers on a campus.

Additionally, is it possible/desirable to simply the process for downloading root and user certs? The root cert can be installed as part of the end entity cert chain. Then you go from downloading root separately to a single pop up for root asking if you want to trust it. If you say yes you get everything at once. This works with IE. It is not as clear if it works with Netscape 4.7, and 6.x.
In 4.7 and 6.2 it takes the whole chain silently without any questions to the user, but when you try to use it says that the root cert isn't trusted. Turns out it loaded it but didn't mark it as trusted. You then have to go through a series of menus and say specifically that you want to trust the root before you can use it. It is possible that the wrong mime type was set. The observed behavior doesn't agree with documentation. Eric will experiment and determine which is the case and if there is a simple way in Netscape to install a root certificate with a couple of others below it. John will also experiment with Netscape/Mozilla.
FERPA

What are the Family Educational Rights and Privacy Act (FERPA) implications if the browser set to accept certs automatically? It is possible to set things up so they're presenting an electronic equivalent of an id card with information to a stranger and not realize that is what they're doing. Most people putting e-mail addresses in the certs are also putting real names in the subject. If a student has opted out of the directory can they be issued a user cert? What if they opt out later? The university can revoke the certificate but the student could still present it to other parties. Is warning the student enough or are universities liable?

One important thing to note about FERPA is who has cause of action. If a lawyer gets involved it has to be a lawyer for FERPA. The student or any individual does not have a cause of action against the university under FERPA. A university can only be sued by the government under FERPA and not by a student.

The next call is scheduled for September 11, 2002.