December 03, 2003
* Jim Jokl, U. Virginia
* Eric Norman, Wisconsin
* Bob Morgan, U. Washington
* Shelly Henderson, USC
* Barry Ribbeck, UT-HSCH
* Mark Franklin, Dartmouth
* Steve Carmody, Brown
* Jeff Schiller, MIT
* Renee Frost, Internet2
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2
USHER/InCommon Profile Discussion
There was concern over including an e-mail address in the profile. After a brief discussion it was decided to remove the e-mail address from the profile.
It was agreed that more research is needed about key usage bits before deciding to leave or remove them from the certificate. While many certificates have the bits no one knew if that was due to applications, or from simply copying other certificates. Eric stated that he had not seen anything about the offline CRL signing bit or key usage in the RFC. Jeff pointed out that careful thought needs to be given to what to set to critical. Other root certificates will be examined to see how most are setting the bits and research into what the bits actually mean will be done as well.
Jim will correct the editing
mistake in relation to the
AIA extension in the InCommon
server cert profile. Eric
objected to putting anything
in the AIA that hasn't been
standardized. Bob pointed
out that only LDAP version
2 has been standardized,
not version 3 and that combining
AIA with existing LDAP is
likely not enough to get
[AI] Jim: Will draft a paragraph outlining that for the http URL we expect it to be pointing at a PKCS7 that will operate with Windows.
Next HEPKI-TAG Projects:
Number of Schools interested in each project: HW tokens: 3;Windows domain 4; CA audit 3.5; ETLS 2.5; S/MIME 5; Intro materials 2; Document signing had 3; Private key protection 2.
S/MIME - Internet2 is using SYMPA for middleware e-mail lists and the HEPKI-TAG list has been moved to the SYMPA server. There is S/MIME support in SYMPA. Steve Carmody indicated that once SYMPA is installed on one of the Shibboleth test machines a test list could be set up to play with the S/MIME functionality of SYMPA. Dartmouth has a SYMPA server that can be used as well. The private key for the list will need to be placed on the server itself to encrypt the email.
The S/MIME e-mail client
table will need to be updated
to reflect new clients that
support S/MIME such as Pine,
Mulberry, Apple clients,
Thunderbird etc. The clients
can be tested by encrypting
and sending mail to the
list that people can then
verify for client interoperability.
[AI] All: Please send Jim signed messages so he can get the certs up on the PKIdev repository for downloading.
[AI] Jim will send e-mail to the list of what certs are available on PKIdev.
Other S/MIME goals:
* updating the Microsoft
* creating a list of features in the e-mail clients that would make S/MIME easier to deploy/manage within the enterprise/campus, such as having web mail be able to verify signatures for official announcements and how to do cross-institutional S/MIME.
* certificate management issues and how to arrange them when verifying signatures.
* common documentation for risks of encryption etc. from the user perspective.
The goal is to make S/MIME features in e-mail easier to use and understand.
Barry has java code for automated announcements that are digitally signed and encrypted that may be of interest to others.
Windows domain authentication
The focus of a project would be to do a prototype mode on a few campuses. If different things are needed in the standard profile to work for windows authentication, it needs to be documented in the profiles so people will think about it as they design their campus CA's. There is also the desire to document what needs to be done to make the MS CA subservient to the campus CA and create a set of recommendations. Please review the document sent to the list with an eye towards certificate profiles. Look at the pki-lite profile and at what Microsoft is saying is needed for domain authentication.
1. [AI] Jim: Will draft
a paragraph outlining that
for the http URL we expect
it to be pointing at a PKCS7
that will operate with Windows.
2. [AI] All: Please send Jim signed messages so he can get the certs up on the PKIdev repository for downloading.
3. [AI] Jim will send e-mail to the list of what certs are available on PKIdev. [AI] Jim: Will draft a paragraph outlining that for the http URL we expect it to be pointing at a PKCS7 that will operate with Windows.
4. [AI] All: Please send Jim signed messages so he can get the certs up on the PKIdev repository for downloading.
5. [AI] Jim will send e-mail to the list of what certs are available on PKIdev.