HEPKI-TAG Conference Call - October 4, 2006

*HEPKI-TAG Conference Call*
October 4, 2006

*Attendees*
Jim Jokl (chair) - Virginia
Eric Norman - Wisconsin
Nathan Faut - KPMG
Neal McBurnett - Internet2
Renee Frost - Michigan/Internet2
Ben Chinowsky (scribe) - Internet2

*Action Items* (new)
[AI] Jim will draft a program and schedule for the December 4 PKI Implementers Workshop, and send it to likely presenters and attendees. (from previous calls)
[AI] Eric will experiment with delivery and trust of root and intermediate certs via the web in Mozilla-family browsers.
[AI] Scott will send out a pointer to the draft TAGPMA CA audit requirements.
[AI] Jim will incorporate Scott's digsig-tools information into the HEPKI-TAG web site.
[AI] All will ask their contacts what material their schools would find most useful in a PKI implementers workshop.
[AI] David will follow up on SAFE's open-source signing work.
[AI] All will send URLs for CA software (open-source or not) to TAG.
[AI] Eric will let TAG know when Ron DiNapoli's work on Aladdin eTokens on Macintosh is available for the group to look at.
[AI] All will look at http://www.gridpma.org for materials for the CA Audit project to point to or extract from.
[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).
[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.
[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.
[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.
[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.
[AI] Jim will get an OID for PKI Lite from MACE. [AI] Mark will ask Jed Dobson for more information on OSG.
[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.
[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.
[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.
[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.
[AI] All will send Jim further suggestions for TAG projects.
[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.
[AI] Jim will review the action items and send Ben a list of changes and deletions.

*Discussion*
The group continued its discussion of plans for the PKI Implementers Workshop. It was agreed to plan on a maximum of 50 attendees, and to have separate registration for this meeting so that we know how many people to expect. The workshop will run from 8:00 AM to 5:00 PM on Monday, December 4. [AI] Jim will draft a program and schedule for the December 4 PKI Implementers Workshop, and send it to likely presenters and attendees.

Some further topics for the workshop were suggested. Neal suggested starting with a presentation of use cases, so we can more easily refer to them later on. Nathan confirmed that he will do sessions on "what to expect when you get audited" and "notes from the field on what to do afterwards."

Eric had several suggestions:
- A half-hour session on the design of DNs. For example, should you include an email address in the DN, and if you do, do you understand the implications? Is dc naming dead? How do you assign DNs to make certs in a cert store easy to find? What are the differences in how different browsers display DNs?
- Application integration, e.g. how PKI relates to Pubcookie and its equivalents. How Jim did this at Virginia could be a component of this talk.
- More on common problems and how to diagnose them. For example, renewing a cert usually means getting a new cert with the same keypair, and people then find that they can't use it to decrypt.
- A session on managing the risks of exposure or loss of sensitive data, including a discussion of key escrow and key backup. [See Eric's October 16 note to the HEPKI list for more on this.]
- A session on the relationship between HEPKI, Shibboleth, and Microsoft's CardSpace. Eric sees CardSpace as likely to lead to the death of Pubcookie, and possibly to the death of Shibboleth as well. [Eric expanded on this idea in a note to the HEPKI list on October 5. This led to a long exchange including (among others) Shibboleth originator Bob Morgan and Shibboleth lead developer Scott Cantor. Highly recommended.]