*HEPKI-TAG Conference Call* June 28, 2006

*HEPKI-TAG Conference Call*
June 28, 2006

*Attendees*

Jim Jokl (chair) - Virginia
Scott Rea - Dartmouth
Eric Norman - Wisconsin
Nathan Faut - KPMG
David Wasley - independent
Neal McBurnett - Internet2
Ben Chinowsky (scribe) - Internet2

*Action Items*(new)
[AI] Eric will experiment with delivery and trust of root and intermediate certs via the web in Mozilla-family browsers.
[AI] Scott will send out a pointer to the draft TAGPMA CA audit requirements.
[AI] Jim will incorporate Scott's digsig-tools information into the HEPKI-TAG web site.
[AI] Jim will incorporate the latest round of changes to the CA requirements document, adding tentative implementation priorities for each item.

(from previous calls)
[AI] All will ask their contacts what material their schools would find most useful in a PKI implementers workshop.
[AI] David will follow up on SAFE's open-source signing work.
[AI] All will send URLs for CA software (open-source or not) to TAG.
[AI] Eric will let TAG know when Ron DiNapoli's work on Aladdin eTokens on Macintosh is available for the group to look at.
[AI] All will look at http://www.gridpma.org for materials for the CA Audit project to point to or extract from.
[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).
[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.
[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.
[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.
[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.
[AI] Eric will call Mozilla's attention to the fact that they don't support the standards needed to recognize trust anchors on tokens, and nudge them to do something about it.
[AI] Eric will continue seeking feedback on his Top 10 lists, especially from HCISec.
[AI] Jim will get an OID for PKI Lite from MACE.
[AI] Mark will ask Jed Dobson for more information on OSG.
[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.
[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.
[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.
[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.
[AI] All will send Jim further suggestions for TAG projects.
[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.

*Discussion*

Scott suggested that the draft TAGPMA (http://www.tagpma.org/) audit requirements for CAs might be a good starting point for HEPKI's audit project. [AI] Scott will send out a pointer to the draft TAGPMA CA audit requirements. Scott also sent the list a report on signing tools he helped put together last year. [AI] Jim will incorporate Scott's digsig-tools information into the HEPKI-TAG web site.

Most of the call was spent reviewing the latest version of the draft HEPKI/USHER Campus CA Project Requirements (http://middleware.internet2.edu/hepki-tag/new/ca-req-3.html). With respect to item 1a) -- 'Use of native OpenSSL with "Engine" support to enable the use of HSMs for CA Private Key Protection' -- Scott asked whether we really want to restrict ourselves to OpenSSL only, and suggested the IAIK crypto toolkit (http://jce.iaik.tugraz.at/) as another possibility. The group agreed to stick with just OpenSSL for now, but to add a note that other packages will be considered for future versions, noting that OpenSSL was chosen for the initial version because it best meets the following criteria:
- general familiarity with it among the expected user base
- command line interface
- works with common HSMs
- FIPS-certified
- open-source
[AI] Jim will incorporate the latest round of changes to the CA requirements document, adding tentative implementation priorities for each item.