HEPKI-TAG Conference Call November 30, 2005

*HEPKI-TAG Conference Call*
November 30, 2005

*Action Items*
(new)

[AI] Jim will ask Nathan to evaluate WebTrust Complaince Review.

[AI] All will look at http://www.gridpma.org for materials for the CA Audit project to point to or extract from.

[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).

[AI] Neal will look into European approaches to credential assessment.

(from previous calls)

[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.

[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.

[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.

[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.

[AI] Eric will call Mozilla's attention to the fact that they don't support the standards needed to recognize trust anchors on tokens, and nudge them to do something about it.

[AI] Eric will continue seeking feedback on his Top 10 lists, especially from HCISec.

[AI] Jim will get an OID for PKI Lite from MACE. [AI] Mark will ask Jed Dobson for more information on OSG.

[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.

[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.

[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.

[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.

[AI] All will send Jim further suggestions for TAG projects.

[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.

*Attendees*

Jim Jokl (chair) - Virginia
Neal McBurnett - Internet2
Eric Norman - Wisconsin
Bob Morgan - Washington
Shelley Henderson - USC
Ben Chinowsky (scribe) - Internet2

*Discussion*

The group reviewed, and Jim updated, the draft Campus CA Audits page (http://middleware.internet2.edu/hepki-tag/ca-audit/). This page is not yet linked from the TAG site. Bob noted that many of the items in the Suggested Audit Process Outline are supposed to be included in the CPS. Jim noted that CPSes usually don't have enough detail, and refer to multiple separate documents; this necessitates a systematic procedure for examining the listed items.

Bob noted the WebTrust Compliance Review process, describing it as a way of certifying that you have cleared "the really low bar you've set for yourself."

[AI] Jim will ask Nathan to evaluate WebTrust Complaince Review.

[AI] All will look at http://www.gridpma.org/ for materials for the CA Audit project to point to or extract from. Bob noted that this group's situation is quite similar to ours -- "everybody knows" the standards are more or less the same for all involved, and the Grid PMA specifies how to confirm what everybody knows.

[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF). CAF is mostly concerned with password-based authentication.

[AI] Neal will look into European approaches to credential assessment.