*HEPKI-TAG Conference Call* June 29, 2005
*Action Items*
(new)
[AI] Eric will create a cert to use in testing PKI Lite for Rice's
code-signing
application; Jim will do the test.
(from previous calls)
[AI] Eric will call Mozilla's attention to the fact that they don't
support the
standards needed to recognize trust anchors on tokens, and nudge them
to do
something about it.
[AI] Eric will continue seeking feedback on his Top 10 lists,
especially from
HCISec.
[AI] Jim will get an OID for PKI Lite from MACE.
[AI] Mark will ask Jed Dobson for more information on OSG.
[AI] David will look at some of the products listed at
http://middleware.internet2.edu/hepki-tag/new/signing.html
in the light of the list of questions there.
[AI] Neal will continue looking at OpenOffice, and Jim will look at
eLock.
[AI] Jim will send the list more information on the Acrobat
transcript-signing
work at U. of Chicago.
[AI] Jim will draft a discussion of the pros and cons of hierarchical
and flat
campus PKIs for discussion on a future call.
[AI] All will send Jim further suggestions for TAG projects.
[AI] Jim will send mail to people who have expressed interest in various
possible areas of work for TAG, and work toward finding a focus for the
group.
*Attendees*
Jim Jokl (chair) - Virginia
Mark Franklin - Dartmouth
Eric Norman - Wisconsin
Nathan Faut - KPMG
Mark Scarborough - Rice
John Krienke - Internet2
Neal McBurnett - Internet2
Nick Lewis - Internet2
Ben Chinowsky (scribe) - Internet2
*Discussion*
Jim outlined the resolution of LionShare's request for an USHER policy
requirement. There will be no PKI Lite OID in the campus cert signed by
USHER.
However, in the LionShare implementation, USHER and campus certs can be
used to
sign SASL certs, and the SASL certs will contain the PKI Lite OID. The
point is
that no long-lived certs issued on campus have to have the OID, only the
short-lived (1-2 hours) SASL certs. Jim noted that the discussion of
this issue
had led to a more general decision that USHER will not sign certs with
an OID.
In the course of addressing this issue, Jim also looked into the
possibility of
using multiple policy OIDs; although the RFCs and X.509 docs specify
how these
should be processed, there is much skepticism about the compliance of
existing
code.
Mark Scarborough joined the call to discuss interest in using PKI Lite
for code
signing at Rice. The immediate use would be to enable developers to
sign Excel
macro code with a Rice cert and have the code run without a warning
message
appearing. [AI] Eric will create a cert to use in testing PKI Lite for
Rice's
code-signing application; Jim will do the test.
Finally, Neal noted that he's been trying to figure out how vulnerable
users of
real-world signing apps (XML DSIG, PGP, Open Office) are to potential
attacks
based on recently-discovered weaknesses in commonly-used hash
functions. So far
it appears that digital signatures have significant vulnerabilities,
but other
apps do not. [See Neal's July 22 message to the TAG list for details.]