January 3, 2001
Attendees
* Jim Jokl (chair) - Virginia
* Deb Crocker - Alabama
* Ken Klingenstein - Colorado/Internet2
* Bob James - Pitt
* Michael Gettes - Georgetown
* Renee Frost - Michigan/Internet2
* Bob Brentrup - Dartmouth
* Bob Morgan - Washington
* Neal McBurnett - Avaya
* David Wasley - UCOP
* Judith Boettcher - CREN
* Keith Hazelton - Wisconsin
* Ben Chinowsky (scribe)
- Internet2
* Others joined and left
the call at various times.
Discussion
The minutes of the previous meeting were approved without changes. Bob M. noted that there is a surplus of volunteers for the the OASIS S2ML technical committee, and OASIS wants to know who's going to really be active; [AI] Bob M. will work with Steven Carmody to decide who from I2-MI and HEPKI should work with OASIS. [AI] Bob M. will check with Tim Polk on the status of Polk's expected contribution to the IETF-LDAPEXT dc naming discussion. Michael asked about the status of heDRCD within TAG; Jim is waiting for a call on which both Jeff Schiller and Michael are present to have the next discussion of this. Jim suggested the group read the IETF-SACRED heDRCD scenario in preparation for this discussion.
Ken suggested that the cert-profiles-convergence group focus on defining a basic ID cert, and find out if the Grid would be interested in using such a cert, issued by campuses, to verify the identity of people requesting access to Grid tools. The basic ID cert would be non-pseudonymous, with few extensions and a 1-2 year lifetime; the Grid's acceptance of ID certs would be a "baby step" toward their wider use. Ken's suggestion led to a long discussion of the usefulness (or not) of basic ID certs. In favor of basic ID certs, it was argued that that an ID cert could function as the inter-campus equivalent of a campus ID card or logon password, and that this would be useful for the many applications where privacy is not required. Uses suggested for ID certs included a password substitute within Shibboleth and access to digital-library resources for small groups of students spread across more than one campus. An ID cert can function as a primary key, so databases that could be used for authorization could be built around it. Against basic ID certs, it was argued that the best ID certs can do is ensure uniqueness within a domain, which, given the current absence of a PKI, is not enough to establish identity. Due to FERPA, ID certs raise legal questions. Also, ID certs do nothing to solve the problem of inter-campus authorization; for this reason, it was suggested that member-of-community certs be used as a first step, or that ID certs be used, but targeted for intra-campus use.
It was agreed that [AI] Ken will ask his Grid contacts if ID certs (either pseudonymous or non-pseudonymous) from higher education would be useful to them, and if they would be willing to make use of them without a CP. [AI] All will suggest possible inter-campus and intra-campus uses of PKI, to be discussed on the next call.
Neal noted that he is working
on an XML shell for the
IETF-SACRED scenarios; TAG
will discuss these scenarios
on the next call.
Action Items
* [AI] Bob M. will work
with Steven Carmody to decide
who from I2-MI and HEPKI
should work with OASIS.
* [AI] Bob M. will check
with Tim Polk on the status
of Polk's expected contribution
to the IETF-LDAPEXT dc naming
discussion.
* [AI] Ken will ask his
Grid contacts if ID certs
(either pseudonymous or
non-pseudonymous) from higher
education would be useful
to them, and if they would
be willing to make use of
them without a CP.
* [AI] All will suggest
possible inter-campus and
intra-campus uses of PKI,
to be discussed on the next
call.