HEPKI-TAG Call March 8, 2006

*HEPKI-TAG Conference Call*
March 8, 2006

*Action Items* (new)

[AI] Scott will ask Bob Brentrup to write a report on the USHER key-generation process.

[AI] All will send URLs for CA software (open-source or not) to TAG.

[AI] Jim and David will draft requirements for the packaged-CA project, and start looking at available CA software in the light of those requirements.

(from previous calls)

[AI] Eric will let TAG know when Ron DiNapoli's work on Aladdin eTokens on Macintosh is available for the group to look at.

[AI] Neal will send out a URL for a document that tells you what to do if you want to use OpenSSL in FIPS mode.

[AI] All will look at http://www.gridpma.org/ for materials for the CA Audit project to point to or extract from.

[AI] Bob will send out pointers on UW's experience with the Federal Credential Assessment Framework (CAF).

[AI] All who can test the Eudora S/MIME plugin, or find others to do so, will contact Jim.

[AI] Jim will expand the signing-tools matrix with columns on APIs and scripting tools; multiple signatures (parallel vs. stacked); and whether or not the tool lets you add a trust anchor.

[AI] All who have time to investigate one or more of the signing tools at http://middleware.internet2.edu/hepki-tag/new/signing4.html will contact Jim.

[AI] Jim will continue looking at PKI Lite cert profiles for Rice's code-signing application.

[AI] Eric will call Mozilla's attention to the fact that they don't support the standards needed to recognize trust anchors on tokens, and nudge them to do something about it.

[AI] Eric will continue seeking feedback on his Top 10 lists, especially from HCISec.

[AI] Jim will get an OID for PKI Lite from MACE. [AI] Mark will ask Jed Dobson for more information on OSG.

[AI] David will look at some of the products listed at http://middleware.internet2.edu/hepki-tag/new/signing4.html in the light of the list of questions there.

[AI] Neal will continue looking at OpenOffice, and Jim will look at eLock.

[AI] Jim will send the list more information on the Acrobat transcript-signing work at U. of Chicago.

[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on a future call.

[AI] All will send Jim further suggestions for TAG projects.

[AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.

*Attendees*
Jim Jokl (chair) - Virginia
Scott Rea - Dartmouth
Nathan Faut - KPMG
Eric Norman - Wisconsin
Steve Carmody - Brown
Jeff Schiller - MIT
David Wasley - independent
John Krienke - Internet2
Neal McBurnett - Internet2
Ben Chinowsky (scribe) - Internet2

*Discussion*

The group took note of an April 10-11 conference at NIST on PKI and Homeland Security Presidential Directive 12. For details see http://www.cio.gov/fpkipa/documents/PKIimplementationWorkshopAdvertisement.pdf.

The USHER private key was generated Feb. 27 in a ceremony at Dartmouth. John Krienke noted that USHER is not depending on a vendor appliance for key storage. The ceremony was videotaped, but Nathan pointed out that we need to further document the process for audit purposes. [AI] Scott will ask Bob Brentrup to write a report on the USHER key-generation process. More information on USHER is available at http://usher.internet2.edu.

The group reviewed the strawman USHER Campus Authority Certificate Profile (http://middleware.internet2.edu/hepki-tag/usher-common/usher-campus-1.html). The USHER PA will review this in April.

Jim has updated the list of open-source PKI software at http://middleware.internet2.edu/hepki-tag/opensrc.html. The group discussed the possibility of providing a software package to minimize the effort required for a campus to run a CA to support USHER. OpenSSL and Windows-based CAs both have their problems, but they're what most of the constituency for this project is familiar with. Eric noted that the InCommon CA is based on OpenSSL. [AI] All will send URLs for CA software (open-source or not) to TAG. [AI] Jim and David will draft requirements for the packaged-CA project, and start looking at available CA software in the light of those requirements.