Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

December 03, 2003
Attendees

* Jim Jokl, U. Virginia
* Eric Norman, Wisconsin
* Bob Morgan, U. Washington
* Shelly Henderson, USC
* Barry Ribbeck, UT-HSCH
* Mark Franklin, Dartmouth
* Steve Carmody, Brown
* Jeff Schiller, MIT
* Renee Frost, Internet2
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2

Discussion
USHER/InCommon Profile Discussion

There was concern over including an e-mail address in the profile. After a brief discussion it was decided to remove the e-mail address from the profile.

It was agreed that more research is needed about key usage bits before deciding to leave or remove them from the certificate. While many certificates have the bits no one knew if that was due to applications, or from simply copying other certificates. Eric stated that he had not seen anything about the offline CRL signing bit or key usage in the RFC. Jeff pointed out that careful thought needs to be given to what to set to critical. Other root certificates will be examined to see how most are setting the bits and research into what the bits actually mean will be done as well.

Jim will correct the editing mistake in relation to the AIA extension in the InCommon server cert profile. Eric objected to putting anything in the AIA that hasn't been standardized. Bob pointed out that only LDAP version 2 has been standardized, not version 3 and that combining AIA with existing LDAP is likely not enough to get you interoperability.
[AI] Jim: Will draft a paragraph outlining that for the http URL we expect it to be pointing at a PKCS7 that will operate with Windows.

Next HEPKI-TAG Projects:
Number of Schools interested in each project: HW tokens: 3;Windows domain 4; CA audit 3.5; ETLS 2.5; S/MIME 5; Intro materials 2; Document signing had 3; Private key protection 2.

S/MIME - Internet2 is using SYMPA for middleware e-mail lists and the HEPKI-TAG list has been moved to the SYMPA server. There is S/MIME support in SYMPA. Steve Carmody indicated that once SYMPA is installed on one of the Shibboleth test machines a test list could be set up to play with the S/MIME functionality of SYMPA. Dartmouth has a SYMPA server that can be used as well. The private key for the list will need to be placed on the server itself to encrypt the email.

The S/MIME e-mail client table will need to be updated to reflect new clients that support S/MIME such as Pine, Mulberry, Apple clients, Thunderbird etc. The clients can be tested by encrypting and sending mail to the list that people can then verify for client interoperability.
[AI] All: Please send Jim signed messages so he can get the certs up on the PKIdev repository for downloading.
[AI] Jim will send e-mail to the list of what certs are available on PKIdev.

Other S/MIME goals:

* updating the Microsoft S/MIME document.
* creating a list of features in the e-mail clients that would make S/MIME easier to deploy/manage within the enterprise/campus, such as having web mail be able to verify signatures for official announcements and how to do cross-institutional S/MIME.
* certificate management issues and how to arrange them when verifying signatures.
* common documentation for risks of encryption etc. from the user perspective.

The goal is to make S/MIME features in e-mail easier to use and understand.

Barry has java code for automated announcements that are digitally signed and encrypted that may be of interest to others.

Windows domain authentication project:
The focus of a project would be to do a prototype mode on a few campuses. If different things are needed in the standard profile to work for windows authentication, it needs to be documented in the profiles so people will think about it as they design their campus CA's. There is also the desire to document what needs to be done to make the MS CA subservient to the campus CA and create a set of recommendations. Please review the document sent to the list with an eye towards certificate profiles. Look at the pki-lite profile and at what Microsoft is saying is needed for domain authentication.

Action Items

1. [AI] Jim: Will draft a paragraph outlining that for the http URL we expect it to be pointing at a PKCS7 that will operate with Windows.
2. [AI] All: Please send Jim signed messages so he can get the certs up on the PKIdev repository for downloading.
3. [AI] Jim will send e-mail to the list of what certs are available on PKIdev. [AI] Jim: Will draft a paragraph outlining that for the http URL we expect it to be pointing at a PKCS7 that will operate with Windows.
4. [AI] All: Please send Jim signed messages so he can get the certs up on the PKIdev repository for downloading.
5. [AI] Jim will send e-mail to the list of what certs are available on PKIdev.