Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-PAG Conference Call

March 28, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Eric Norman - Wisconsin
* Ellen Vaughan - Internet2
* Michael Gettes - Georgetown
* Chris Misra - Massachusetts
* Keith Hazelton - Wisconsin
* Ken Klingenstein - Colorado/Internet2
* Neal McBurnett - Avaya
* Bob James - Pitt
* Bob Brentrup - Dartmouth
* David Wasley - UCOP
* Ben Chinowsky (scribe) - Internet2

Discussion

After approving the minutes, the group reviewed the action items from the previous meeting.

[Eric will send feedback to Judith suggesting that a prominent link to the CREN root cert be added to the CREN CA page.] Not done, but the link has been added.

[Jim, with Bob M.'s help, will tweak the first sentence of the last paragraph of the dc naming recommendation.] Still to do.

[Ken will send TAG the Shibboleth PKI questions he wrote up as part of the the Shibboleth out-of-band work.] Done.

[Ken will find out if CAs issued by CREN can issue server certs, and contact Judith to discuss further as necessary.] According to David, the CAs can issue server certs, but the question remains whether or not relying parties can verify them. [Jim will make Shibboleth PKI the main agenda item for the next TAG call.] [All will read the design documents on http://middleware.internet2.edu/shibboleth/, especially "Shibboleth Flows".] [Ken will produce a short document to guide the discussion of Shibboleth PKI issues.]

For these three, see below.

The Department of Energy has asked someone from Internet2 to sit in on a PKI evaluation on April 18. Ken asked for a volunteer from TAG, and forwarded the DoE's request to the list.

Most of the call was devoted to a discussion of the relationship between Shibboleth and PKI. Agreement was reached on four points.
It was agreed to follow the SSL paradigm tentatively suggested by Bob Morgan. Given uncertainty about whether or not VeriSign and other cert vendors will approve of this use of the key, it was suggested that Shibboleth use a key pair separate from that of any regular SSL service on the Shibboleth systems. [AI] David, making use of legal help as necessary, will find out if the VeriSign CPS prohibits alternative uses for SSL certs.
The name field of the SSL cert should specify the the security domain DNS and the Shibboleth service. This name will have to match the name in an out-of-band agreement.
Using SSL certs from a widely-known root CA, and naming as above, would alleviate the need for a key exchange service, at least at first. Revocation would be done at the root CA, using mechanisms that exist today. The Shibboleth systems would need to do cert validation, but TAG did not discuss how the systems would do this. [AI] David will find out if VeriSign charges for cert revocation. [AI] Judith will find out how CREN certs can be revoked and how the CREN CRL will be checked.
It was briefly noted that protecting the Shibboleth SSL key seems equivalent in importance to protecting regular SSL keys, but this needs to be discussed further. Club Shibboleth bylaws could probably address most of this.
The call concluded with the assignment of several miscellaneous action items. [AI] All will send Jim lists of their projected PKI apps for the spreadsheet. [AI] All will send the TAG list information on tools they know of for looking at certs. [AI] Bob J. will send his cert out to the list, and all will see if they can open it. [AI] Neal will send the list a link to a site in the Netherlands that will "take certs and do something with them." [AI] All who have feedback to provide on the CREN cert download process will send it to Judith. [AI] Judith will send Ken the CREN cert fingerprint for posting on the I2-MI site. [AI] Judith will find out about the possibility of bundling multiple CA certs into a single download from CREN.
Action Items

* [AI] David, making use of legal help as necessary, will find out if the VeriSign CPS prohibits alternative uses for SSL certs.
* [AI] David will find out if VeriSign charges for cert revocation.
* [AI] Judith will find out how CREN certs can be revoked and how the CREN CRL will be checked.
* [AI] All will send Jim lists of their projected PKI apps for the spreadsheet.
* [AI] All will send the TAG list information on tools they know of for looking at certs.
* [AI] Bob J. will send his cert out to the list, and all will see if they can open it.
* [AI] Neal will send the list a link to a site in the Netherlands that will "take certs and do something with them."
* [AI] All who have feedback to provide on the CREN cert download process will send it to Judith.
* [AI] Judith will send Ken the CREN cert fingerprint for posting on the I2-MI site.
* [AI] Judith will find out about the possibility of bundling multiple CA certs into a single download from CREN.