November 7, 2001
Attendees
* Jim Jokl (chair) - Virginia
* Eric Norman - Wisconsin
* Steve Worona - EDUCAUSE
* Ed Feustel - Dartmouth
* David Wasley - UCOP
* Bob Morgan - Washington
* Deb Crocker - Alabama
* Judith Boettcher - CREN
* Keith Hazelton - Wisconsin
* Michael Gettes - Georgetown
* Kevin Unrue - Cornell
* Renee Frost - Michigan/Internet2
* Ben Chinowsky (scribe)
- Internet2
Discussion
After approving the minutes of the October 24 meeting, the group discussed moving its biweekly conference up by half an hour, but found that this would create more conflicts than it would resolve. [AI] Jim will poll the TAG list about a new meeting time. The group reviewed action items:
* [24-October - Eric will
send the list information
on the Outlook/L-Soft signed
mail problem and some possible
ways to get around it.]
Done. Ed noted that while
the configuration changes
sent to the TAG list do
fix the problem, list managers
may not always have the
authority to make those
changes, so it would still
be good to get the code
fixed. Judith noted that
listproc is going to SourceForge;
[AI] Eric will send a signed
message to the TAG list
to find out if listproc
has the same problem with
signed mail as does L-Soft.
* [24-October - Ed will
send the list a reference
to an IEEE Computer article
on the IBM 4758 Secure Coprocessor.]
Done. [AI] Ed will send
the list information on
products that use the IBM
4758.
* [24-October - Ken will
ask HEPKI-PAG to develop
scenarios for Steve Worona
to take to the Department
of Education for FERPA compliance
checking.] Done; see below.
* [24-October - Ed will
find TAG a reference on
the DLF X.509 extension
used to specify what application
a cert is intended for.]
Still to do.
* [24-October - Michelle
will ask JSTOR for their
thoughts on how to specify
affiliation in certs.] Done;
see Michelle's Nov. 7 posting
to the TAG list. [AI] Judith
will send the list information
from Spencer on DLF's LDAP
plans.
* [24-October - All will
review Ed's October 19 mail
on CP information in the
TrustID certs being used
for HEBCA.] Still to do.
Ed explained that he wants
the group's thoughts on
TrustID certs as a model
for PKI Lite.
* [10-October - All will
send Ken questions for Sun
on using certs with S/MIME
clients.] Done. Ken has
send Sun a list of questions,
but has not yet received
any answers.
* [10-October - Jim will
check status of action items
from August 29 and earlier
via email.] In process.
* [26-September - Eric will
put his demo cert issuer
on the Internet2 demo machine.]
[AI] Eric and Jim will discuss
next steps for getting the
demo cert issuer onto the
Internet2 demo machine.
Ed noted that Netscape is working seriously on S/MIME for Mozilla; many Netscape users are unwilling to upgrade from 4.x because 6.x lacks S/MIME. [AI] Ed will send the list a) URLs on Netscape's work on S/MIME for Mozilla and b) the suggestions he has sent Netscape regarding this work. [AI] All will read Ed's documents on S/MIME for Mozilla, in preparation for a discussion on the next call of TAG possibly making recommendations to Netscape.
The group discussed the FERPA implications of the university ID card metaphor for PKI Lite certs. If a student shows their university ID at an off-campus facility, they know that they are divulging their name and their relationship with the university. [AI] Steve will work the following question into a scenario for the Department of Education: If students are informed that inter-domain use of a PKI Lite cert is similar to showing an ID card off campus, and on-campus alternatives are provided for students who opt out of using the cert, is that enough to meet FERPA requirements? Steve cautioned TAG not to hold up its work waiting for an answer. Bob Morgan noted that the Shibboleth group had decided early on that while FERPA compliance is useful, it's not nearly enough to meet people's reasonable expectations of privacy.
The group discussed next
steps for the PKI Lite cert
profile and the PKI Lite
pilot. [AI] Jim will draft
a request for feedback on
the draft PKI Lite cert
profile, including an explanation
of the possibility of having
to create separate profiles
for S/MIME and web authentication;
all will review in preparation
for discussion on the next
call. Jim noted that even
if two profiles are necessary,
the differences between
them will likely be confined
to the Subject field. There
was general agreement that
phase one of the PKI Lite
pilot should be as simple
as possible. [AI] Jim will
set up a minimal web authentication
demo on the Internet2 demo
machine. The group agreed
to limit the targets in
the initial web authentication
pilot to JSTOR and maybe
some additional small databases
(Judith knows of some possibilities
here). For S/MIME, phase
one of the pilot will be
limited to at most three
clients (Outlook Express,
Netscape, and Eudora+Tumbleweed)
and to TAG participants.
The group briefly discussed
adapting a listserv, but
agreed that for the time
being at least this is too
much to take on. TAG will
also produce some how-to
documents to guide the PKI
Lite pilot deployment.
Action Items
* [AI] 7-November - Jim
will poll the TAG list about
a new meeting time.
* [AI] 7-November - Eric
will send a signed message
to the TAG list to find
out if listproc has the
same problem with signed
mail as does L-Soft.
* [AI] 7-November - Ed will
send the list information
on products that use the
IBM 4758.
* [AI] 7-November - Judith
will send the list information
from Spencer on DLF's LDAP
plans.
* [AI] 7-November - Eric
and Jim will discuss next
steps for getting the demo
cert issuer onto the Internet2
demo machine.
* [AI] 7-November - Ed will
send the list a) URLs on
Netscape's work on S/MIME
for Mozilla and b) the suggestions
he has sent Netscape regarding
this work.
* [AI] 7-November - All
will read Ed's documents
on S/MIME for Mozilla, in
preparation for a discussion
on the next call of TAG
possibly making recommendations
to Netscape.
* [AI] 7-November - Steve
will work the following
question into a scenario
for the Department of Education:
If students are informed
that inter-domain use of
a PKI Lite cert is similar
to showing an ID card off
campus, and on-campus alternatives
are provided for students
who opt out of using the
cert, is that enough to
meet FERPA requirements?
* [AI] 7-November - Jim
will draft a request for
feedback on the draft PKI
Lite cert profile, including
an explanation of the possibility
of having to create separate
profiles for S/MIME and
web authentication; all
will review in preparation
for discussion on the next
call.
* [AI] 7-November - Jim
will set up a minimal web
authentication demo on the
Internet2 demo machine.
* [AI] 24-October - Ed will
find TAG a reference on
the DLF X.509 extension
used to specify what application
a cert is intended for.
* [AI] 24-October - All
will review Ed's October
19 mail on CP information
in the TrustID certs being
used for HEBCA.
* [AI] 10-October - Jim
will check status of action
items from August 29 and
earlier via email.
* [AI] 10-October - Jeff
will draft a CPS template
for PKI Lite.
* [AI] 26-September - Ellen
will work with Renee on
the issue of which OID to
use (CREN has volunteered
one), and get back to Judith
to plan further.
* [AI] 26-September - Judith
will see if Frank Grewe
or Ron Hutchins can get
TAG some CREN- and institution-signed
user certs to use on the
demo site to practice following
chains.
* [AI] 26-September - Jeff
will look into getting user
certs from MIT for the demo
site.
* [AI] 26-September - Eric
and Jim will experiment
with using S/MIME clients
to exchange encryption capabilities.
* [AI] 29-August - Renee
will look into what policies
Internet2 is considering
for software distributions.
* [AI] 29-August - All will
look into which of their
prospective PKI applications
will separate authorization
and authentication, and
which will conflate them.
* [AI] 1-August - Ed will
find out what CA software
packages are being used
on the campuses from which
he's received PKI project
information, and which of
these packages are capable
of adding a policy OID.
* [AI] 6-June - All will
send Jim links to information
on their campus PKI work,
for the TAG web site.