Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

June 6, 2001
Attendees

* Jim Jokl (chair) - Virginia
* Ed Feustel - Dartmouth
* Chris Misra - Massachusetts
* Keith Hazelton - Wisconsin
* Bob Brentrup - Dartmouth
* Renee Frost - Michigan/Internet2
* Ellen Vaughan - Internet2
* Ken Klingenstein - Colorado/Internet2
* Eric Norman - Wisconsin
* Neal McBurnett - Avaya
* Bob Morgan - Washington
* Michael Gettes - Georgetown
* Bill Doster - Michigan
* Ben Chinowsky (scribe) - Internet2

Discussion

The minutes of the previous meeting were approved without changes. The group reviewed the action items from the last call:

[On the next call, TAG will look at the question of whether institutions should be required, or only encouraged, to maintain their own CRLs.] Ken pointed out that the various certificate policies being developed vary in this respect: EuroPKI and SURFnet require CRL checking; the current draft of the HEPKI CP requires CRL checking, but without specifying any particular technology; the Feds don't require CRL checking. Ed suggested a two-tier approach; for example, staff could be required to check CRLs, while students would not be. CREN requires that holders of institutional certs point to the CREN CRL, but it is unclear whether CREN will require that institutions maintain their own CRLs as well. [AI] Jim will ask Judith Boettcher if CREN will require that institutions be able to revoke their own certs. Ed noted that PKIX has published a chain algorithm for revocation checking, and suggested that TAG read and discuss it.

[Ed will the send the list a request for information on current and planned deployments of directories for public key storage.] Done.

[Jim will write up the issues around PKI Lite for discussion on the TAG list.] Done.

[All will review Jeff's private-key-protection document and send comments to Jeff.] Still to do.

Most of the call was devoted to discussion of whether or not TAG should initiate a PKI Lite project. On the "con" side, it was argued that PKI Lite would be redundant: efforts like PGP and Shibboleth are already taking a lightweight approach to cert usage, and Lite would teach nothing that cannot be learned from these efforts. It was also argued that PKI Lite would not be helpful in making the transition to a full PKI; the elements that would have to be set aside to make it Lite are precisely those elements that have to be made to work in order for PKI to succeed. It was also argued that MIT's experience (Bob Morgan pointed out that PKI Lite basically means "what MIT did") is not likely to generalize easily; it might be necessary to license the "Schillerware" used there, and Michael noted that Georgetown's experience with even so straightforward-seeming a task as deploying a server-side CA cert, had been "relatively nightmarish". In general, there was a sense that PKI is just irreducibly hard, and that HEPKI should continue with its approach -- exemplified by PAG's work on the model CP -- of slow, determined slogging through all necessary details.

On the "pro" side, Bob Morgan noted that while it is true that a PKI Lite for web authentication would bear a strong resemblance to Shibboleth, Shibboleth is focused on inter-institutional applications, where Lite would have an intra-institutional focus; the two would thus complement one another. The decisive consideration, however, was Jim's observation that TAG needs a PKI Lite in order to move forward with the profile convergence work. The group agreed to begin work on PKI Lite using signed-but-not-encrypted email as the driving application. There was general agreement that this would be likely to find a variety of small-scale uses, such as submitting travel expense reports, on ten or so campuses. Ed pointed out that small user communities are a significant plus; it's a lot harder to support a whole campus than it is to support a narrowly-defined user community, like people who travel on campus business. There was general agreement that the process of standing up PKI Lite will probably reveal "holes in PKI", and that this is a good thing. Jim has learned that Microsoft Outlook can't load a signing cert without also loading an encryption cert; [AI] Ed will send Jim mail about resolving the Outlook no-signing-without-encryption issue. [AI] All will send Jim links to information on their campus PKI work, for the TAG web site. [AI] All PKI Lite participants will send Ed their email addresses and phone numbers. [AI] Ed will compile a PKI Lite contact list and send it to TAG.
Action Items

* [AI] Jim will ask Judith Boettcher if CREN will require that institutions be able to revoke their own certs.
* [AI] Ed will send Jim mail about resolving the Outlook no-signing-without-encryption issue.
* [AI] All will send Jim links to information on their campus PKI work, for the TAG web site.
* [AI] All PKI Lite participants will send Ed their email addresses and phone numbers.
* [AI] Ed will compile a PKI Lite contact list and send it to TAG.