November 5, 2003
Attendees

* Jeff Schiller, MIT
* David Wasley, UCOP
* Jim Jokl, U. Virginia
* Barry Ribbeck, UT-HSCH
* Eric Norman, U. Wisconsin
* Nathan Faut, Educause
* Mark Franklin, Dartmouth
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2 HEPKI TAG Conference Call Nov 5, 2003
* Bob Morgan, U. Washington
* Neal McBurnett, Internet2

Discussions
Offline CA's:

The SURFNET CA. uses KeyOn. The CA has been set up with an online RA and an offline CA. Neal has e-mailed for more details on how the RA communicates with the CA.

Eric is interested in what people/institutions are doing for private key protection and seeing actual documentation of the practices they intend to follow.

MIT has two different CA's. Client certs issued by a software CA, which needs to be online all the time. The server CA is offline. The key is on a CD that only two people know the pass phrase too and the CD is in Jeff's possession. As soon as he has a decent hardware solution he'll put that online as well.

Neal is waiting for an update from Dartmouth with respect to USHER and InCommon.

Are there still plans to move the HEPKI Test CA from Bossie to a supported machine? Currently Bossie is issuing Shib test CA's and doing some demo's. Eric said he and Jim had discussed moving the test CA to pkidev.internet2.edu. Eric was not sure if pkidev was still available. Eric emphasized that these certificates are only for testing, with no assurance whatsoever. He has considered putting the private key on the splash page to emphasize that this is in no way secure.

Is there a written definition for what exactly is meant by a production server? Part of a definition would include that there is more I&A, the machine is always available and someone takes care of it, you know what it is doing and it is written down somewhere. What else would define a production server?

The next call is scheduled for November 19, 2003.