Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Call

April 7, 2004
Attendees

* Jim Jokl, U. Virginia
* Eric Norman, U. Wisconsin
* Nathan Faut, Educause
* Neal McBurnett, Internet2
* Steve Hanna, Sun Microsystems
* Bob Morgan, U. Washington
* Mark Franklin, Dartmouth
* Bob Brentrup, Dartmouth
* Mike LaHaye, Internet2
* Nick Lewis, Internet2
* Renee Frost, Internet2
* Steve Olshansky, Internet2

Discussion

Steve Hanna talked about the libpkix project at Sun. Standards compliant PKI support throughout Sun and other companies' products is important to helping PKI move forward. Libpkix is designed to be very portable, to work with Mozilla, OpenSSL, Solaris etc. They have been talking with Mozilla about uniform PKI support. Libpkix is a project to create C libraries for building and validating chains of X.509 certificates. It is conceived as an open source project in the long run. In order to speed up the development and increase resource availability for the project the decision has been made to make libpkix open source sooner. There are interesting topics for graduate students to work on though currently there is no funding. The sourceforge site is not up yet but Steve has some architecture and API documents he will mail to Jim for posting to the HEPKI-TAG website. Steve will talk about libpkix at the Work in Progress Session at the PKI workshop. (http://middleware.internet2.ed! u/pki04). Eric indicated that he might be able to participate in the libpkix project. If you have questions contact Steve at steve.hanna@sun.com.

PKI-lite policy change http://middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices-current.html

Section 1.6 states that a PKI-Lite CA must not issue an authority certificate for another CA. This has made some sites believe that PKI-Lite precludes a centrally operated multi-level CA. The intent was not to discourage a central IT CA but to discourage a campus CA from issuring authority certs for departmental CA's. There was general consensus that it should be clarified that it is ok for a central group on a campus to run a multi-level CA. [AI] Jim: will draft a revision to 1.6 of the PKI-Lite policy and send it out to the list for review.

InCommon CA deployment Nick Lewis is soliciting feedback on InCommon documents located at: http://www.incommonfederation.org/internal/. Renee indicated that the InCommon tech support team met with Jim, Jeff Schiller, and others to review the documents. The phase one participants will also review them. Feedback and vetting comments are expected from the participants before InCommon goes public.

Nick outlined that the safe is in a locked room, requires two people to open it with a pin pad and a key. The technical group knows the pin code, the member activities group that runs the storefront has the key. No single person can get access, and there is a logging mechanism. The private key is stored on a laptop, and a backup exists. There are two different safe deposit boxes at two different banks. One has the password for the private key and the other has the data to recover the CA. Everything is separated. There is no person that can get access to both safe deposit boxes. The key signing ceremony was videotaped, explaining what was done and how, and the video is stored in one of the safety deposit boxes. Please send feedback on the documents to lewisnic@internet2.edu and mjl@internet2.

InCommon Server Cert profiles: There is a new version of the InCommon end entity profile on the HEPKI-TAG site. The only real change is the addition of the DNS name for the host to the subject alt name.

PKCS7 MIME Type: When you download a PKCS7 blob from the authority information access field in the certificate what MIME type should the server send back? The document calls for using a MIME type of application x.509 CA cert, which came from the web server configuration for that type of file extension. Several people objected to that type. The type of application/x-octet-stream was suggested by Eric. [AI] Jim: will test application/x-octet-stream for x.509 MIME type and report results to list.

Neal sent an e-mail to the list with pointers to resources on the TERENA Academic CA Repository (TACR). It's an active item in the European academic world. It is not a CA that signs others, but a place where CA's of different institutions are shared. It's more a collaboration mechanism than an authority. http://www.terena.nl/tech/task-forces/tf-aace/tacar/index.html

[AI] Eric: will send a solicitation to the list for submissions to the 10 list of things people need to know to do PKI.

The schedule for the PKI04 workshop next week is available at: http://middleware.internet2.edu/pki04/. Proceedings will be posted at the same site.

major item for the PKI Action plan is document signatures. XML signature is being used by the NIH-EDUCAUSE PKI Interoperability Project. It also factors into OpenOffice and OASIS work.

OASIS is working on an open document format based on OpenOffice. Michael Brower is the chair of the OASIS OpenOffice XML Format TC.

The plan for the next release of OpenOffice, 2.0, also code-named "Q", includes some document signature (and encryption) features based on XML Signature. Some work on XML signature and PGP in OpenOffice is also going on. Neal has sent an e-mail to the list with pointers to their materials.

Action Items

1. [AI] Jim: will draft a revision to 1.6 of the PKI-Lite policy and send it out to the list for review.
2. [AI] Jim: will test application/x-octet-stream for x.509 MIME type and report results to list.
3. [AI] Eric: will send a solicitation to the list for submissions to the 10 list of things people need to know to do PKI.