Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

December 5, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Bill Doster - Michigan
* Keith Hazelton - Wisconsin
* Neal McBurnett - Internet2
* Chris Misra - Massachusetts
* Renee Frost - Michigan/Internet2
* Ellen Vaughan - Internet2
* Judith Boettcher - CREN
* Ed Feustel - Dartmouth
* Bob Morgan - Washington
* Deb Crocker - Alabama
* Michelle Gildea - CREN
* Jeff Schiller - MIT/CREN
* Ken Klingenstein - Colorado/Internet2
* Eric Norman - Wisconsin
* David Wasley - UCOP
* Ben Chinowsky (scribe) - Internet2

Discussion

The minutes of the previous meeting were approved without changes. The group reviewed some of its outstanding action items:

* [21-November - Eric will repeat his listproc experiment with a message that contains trailing spaces.] Done. Eric found that listproc works for all mail clients except Eudora+Tumbleweed; he's not sure that the trailing spaces are the problem. [AI] Eric will continue investigating listproc's performance with signed messages. There was general agreement that TAG needs to start documenting the results of tests such as these; [AI] Jim will get part of the PKI Lite site set up for test results. [AI] Ken will organize testing to verify that the fix proposed for the L-Soft signed messages problem actually works. There was a short discussion of opaque signing; Bob Morgan pointed out that using this option makes messages inaccessible to anyone who doesn't have S/MIME.
* [21-November - Ken will send the list v0.01 of a list of use scenarios for PKI Lite S/MIME.] Still to do.
* [21-November - All will review Jim's draft request for feedback on the draft PKI Lite cert profile, in preparation for discussion on the next call.] Jim's draft request for feedback met with general approval. Ken suggested seeking further review from the FPKI S/MIME group and at the upcoming IETF meeting. Bob called attention to David Chadwick's work on attribute certs (http://sec.isi.salford.ac.uk). Ken noted that PKI-COORD, the European coordinating body for PKI, met last week in Amsterdam; presentations and mailing list information are available at http://www.terena.nl/projects/pki/.
* [21-November - Bob will send the list a URL for Globus work on using certs with SSH.] Done; see http://www.globus.org/security/.
* [21-November - Jim will send the list v0.01 of a list of use scenarios for PKI Lite web authentication, to be discussed in parallel with Ken's S/MIME scenarios.] Still to do.
* [7-November - Jim will poll the TAG list about a new meeting time.] Done; [AI] Jim will send the list a summary of responses to his call-scheduling poll.
* [7-November - Ed will send the list information on products that use the IBM 4758.] Still to do.
* [7-November - Judith will send the list information from Spencer on DLF's LDAP plans.] Done.
* [7-November - Eric and Jim will discuss next steps for getting the demo cert issuer onto the Internet2 demo machine.] In process. [AI] All will send Jim their institutional root certs for the root cert downloader and client authentication demo on pkidev.internet2.edu.
* [21-November - Jim will ping Jeff re status of the draft CPS template.] [10-October - Jeff will draft a CPS template for PKI Lite.] Done. There was general agreement that the primary purpose of the CPS template is to spell out existing standards within the higher-education community, and that Jeff's draft accomplishes this. The main stumbling block now is the need to get legal approval. [AI] Jeff will have lawyers at MIT review the legal language in the draft CPS template. [AI] Ken will ask HEPKI-PAG for input on where to seek legal review of the draft CPS template. [AI] Judith will have Dan Burk review the legal language in the draft CPS template. [AI] Jim and Judith will post the draft CPS template on the HEPKI-TAG and CREN web sites. [AI] Keith will point Wisconsin's deputy CIO to the posted draft CPS template. [AI] Jeff will copyedit the draft CPS template and send the revised version to the list.

The group discussed the probable impending demise of SACRED (see Bob Morgan's November 30 message to the TAG list). SACRED's original requirements document is now an RFC, but the SACRED list has been very quiet lately. TAG briefly discussed several other efforts whose problem spaces overlap with SACRED's: XCMS (much more general than SACRED, targets server-server interactions), work at MIT (taking a SACRED-like approach, but goals are a superset of SACRED's), and Dartmouth's work on proxy servers; ACAP and X-KRSS were also mentioned. Ken said that if TAG lets SACRED fade away, it is saying either that physical tokens are OK, or that lighter-weight private key protection is adequate. There was general agreement that, for now at least, TAG should not intervene to keep SACRED going. [AI] Ed will read the SACRED requirements document; if this leads him to think that SACRED should be kept going, he will investigate further.

Finally the group discussed possible foci for the PKI Lite S/MIME effort. Jim described the objective here as "to show people that S/MIME is do-able", and there was general agreement. Suggestions included grant submission, mailing-list authorization, homework submission, travel expense reports, signing timesheets ([AI] Ed will find out more about Dartmouth's timesheet-signing application, for discussion on the next call), signing scanned paper documents, avoiding forged email messages (Bob Morgan pointed out that signed mail won't solve this problem until everyone stops trusting unsigned messages), and serial signatures for workflow signoffs. Serial signatures would require timestamps so the order of the signatures could be verified; [AI] Keith will try to interest one of his colleagues at Wisconsin in working with TAG on serial signatures. Bob Morgan noted that "Mr. XML himself" is associated with an attempt to create standards around signed forms; the idea is that the common XML format will allow claims to be made about what a user must have seen.
Action Items

* [AI] 5-December - Eric will continue investigating listproc's performance with signed messages.
* [AI] 5-December - Jim will get part of the PKI Lite site set up for test results.
* [AI] 5-December - Ken will organize testing to verify that the fix proposed for the L-Soft signed messages problem actually works.
* [AI] 5-December - Jim will send the list a summary of responses to his call-scheduling poll.
* [AI] 5-December - All will send Jim their institutional root certs for the root cert downloader and client authentication demo on pkidev.internet2.edu.
* [AI] 5-December - Jeff will have lawyers at MIT review the legal language in the draft CPS template.
* [AI] 5-December - Ken will ask HEPKI-PAG for input on where to seek legal review of the draft CPS template.
* [AI] 5-December - Judith will have Dan Burk review the legal language in the draft CPS template.
* [AI] 5-December - Jim and Judith will post the draft CPS template on the HEPKI-TAG and CREN web sites.
* [AI] 5-December - Keith will point Wisconsin's deputy CIO to the posted draft CPS template.
* [AI] 5-December - Jeff will copyedit the draft CPS template and send the revised version to the list.
* [AI] 5-December - Ed will read the SACRED requirements document; if this leads him to think that SACRED should be kept going, he will investigate further.
* [AI] 5-December - Ed will find out more about Dartmouth's timesheet-signing application, for discussion on the next call.
* [AI] 5-December - Keith will try to interest one of his colleagues at Wisconsin in working with TAG on serial signatures.
* [AI] 21-November - Ken will send the list v0.01 of a list of use scenarios for PKI Lite S/MIME.
* [AI] 21-November - Jim will send the list v0.01 of a list of use scenarios for PKI Lite web authentication, to be discussed in parallel with Ken's S/MIME scenarios.
* [AI] 7-November - Ed will send the list information on products that use the IBM 4758.
* [AI] 7-November - Eric and Jim will discuss next steps for getting the demo cert issuer onto the Internet2 demo machine.
* [AI] 24-October - All will review Ed's October 19 mail on CP information in the TrustID certs being used for HEBCA.
* [AI] 10-October - Jim will check status of action items from August 29 and earlier via email.
* [AI] 26-September - Ellen will work with Renee on the issue of which OID to use (CREN has volunteered one), and get back to Judith to plan further.
* [AI] 26-September - Judith will see if Frank Grewe or Ron Hutchins can get TAG some CREN- and institution-signed user certs to use on the demo site to practice following chains.
* [AI] 26-September - Jeff will look into getting user certs from MIT for the demo site.
* [AI] 26-September - Eric and Jim will experiment with using S/MIME clients to exchange encryption capabilities.
* [AI] 29-August - Renee will look into what policies Internet2 is considering for software distributions.
* [AI] 29-August - All will look into which of their prospective PKI applications will separate authorization and authentication, and which will conflate them.
* [AI] 1-August - Ed will find out what CA software packages are being used on the campuses from which he's received PKI project information, and which of these packages are capable of adding a policy OID.
* [AI] 6-June - All will send Jim links to information on their campus PKI work, for the TAG web site.