HEPKI-TAG Conference Call September 6, 2006

*HEPKI-TAG Conference Call*
September 6, 2006

*Attendees*
Jim Jokl (chair) - Virginia
Eric Norman - Wisconsin
Bob Morgan - Washington
Scott Rea - Dartmouth
Nathan Faut - KPMG
Jeff Schiller - MIT
David Wasley - independent
Renee Frost - Michigan/Internet2
Ben Chinowsky (scribe) - Internet2

*Action Items*
(new)
[AI] Renee will look into room availablity for the PKI Implementers Workshop.
[AI] Jim will ask likely PKI Implementers Workshop presenters and attendees what day would work best for them.
[AI] Jim will draft an outline of the program for the PKI Implementers Workshop.

(from previous calls)
[AI] Eric will draft a short paper outlining the issues around key escrow and alternatives to it.
[AI] Eric will experiment with delivery and trust of root and intermediate certs via the web in Mozilla-family browsers.
[AI] Scott will send out a pointer to the draft TAGPMA CA audit requirements.
[AI] Jim will incorporate Scott's digsig-tools information into the HEPKI-TAG web site.
[AI] All will ask their contacts what material their schools would find most useful in a PKI implementers workshop.
[AI] David will follow up on SAFE's open-source signing work.
[AI] All will send URLs for CA software (open-source or not) to TAG.
[AI] Eric will let TAG know when Ron DiNapoli's work on Aladdin eTokens on Macintosh is available for the group to look at.
[AI] All will look at http://www.gridpma.org for materials for the CA Audit project to point to or extract from.
[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).
[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.
[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.
[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.
[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.
[AI] Jim will get an OID for PKI Lite from MACE.
[AI] Mark will ask Jed Dobson for more information on OSG.
[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.
[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.
[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.
[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.
[AI] All will send Jim further suggestions for TAG projects.
[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.
[AI] Jim will review the action items and send Ben a list of changes and deletions.

*Discussion*
The group discussed plans for the PKI Implementers Workshop. It was agreed that this will be a one-day workshop; Monday December 4 is the most likely date. [AI] Renee will look into room availablity for the PKI Implementers Workshop. [AI] Jim will ask likely PKI Implementers Workshop presenters and attendees what day would work best for them.

Possible topics:
- David suggested a session on how to cope with Web departments' resistance to PKI. Bob observed that this is not a PKI-specific issue; from a Web perspective, it's generally easiest to use whatever security mechanism the application in question wants to use. There was general agreement that this would be still be a good issue to address in the PKI Implementers Workshop. Eric noted the scheme for "zero modifications" PKI for Web apps that he presented at the 2004 Dartmouth workshop; see "PKI Authentication for Geeklog" at http://www.dartmouth.edu/~deploypki/deploying/
- Jim suggested a session on CA options, including buying commercial certs. Eric stressed the importance of including the RA function in this discussion, emphasizing that any school that issues photo IDs already has a lot to build on in setting up an RA.
- Nathan suggested a sussion on why it's important to use PKI, focusing not on the problems it fixes, but on things that it enables, e.g. paperless workflow.
- There was general agreement to begin the workshop with an optional PKI primer for those who need it
-- something like breakfast & primer starting at 8:00, workshop proper starting at 9:00.

[AI] Jim will draft an outline of the program for the PKI Implementers Workshop. Jeff strongly recommended Simson Garfinkel's thesis (http://www.simson.net/thesis/), and noted that Garfinkel sees value in pursuing S/MIME for signed-but-not-encrypted email.