November 8, 2000
Attendees
* Jim Jokl (chair) - Virginia
* Ken Klingenstein - Colorado/Internet2
* Neal McBurnett - Avaya
* Michael Gettes - Georgetown/Internet2
* Bob Morgan - Washington
* Eric Norman - Wisconsin
* Deb Crocker - Alabama
* Patty Gaul - CREN
* Renee Frost - Michigan/Internet2
* Judith Boettcher - CREN
* Kevin Unrue - Cornell
* Bob James - Pitt
* Ben Chinowsky (scribe)
- Internet2
* Others joined and left
the call at various times.
Discussion
After approving the minutes, the group took up the name-constraints discussion from the last meeting. Eric found "nothing particularly interesting" about this in the X.509 spec; the spec contains no clear statement about the purpose of the name constraint. There seems to be an unwritten assumption that (for example) CREN can tell Wisconsin that it can only issue certs that have Wisconsin in the Subject name; however, there is nothing to stop Wisconsin from issuing such a cert to some other university. It is recommended but not required that the name constraint be marked critical; it is not clear how a non-critical name constraint would be useful. There was discussion of whether name constraints are more of a technical issue or more of a policy issue; [AI] Bob M. will search the PKIX list for information on name constraints as a policy issue.
Next was a discussion of the HEPKI-TAG dc naming recommendation. [AI] Judith will ask Jeff where he wants the dc info for the directory to go. Bob M. noted that the DLF work takes the approach of defining a specific extension for getting more information about the cert. It was suggested that the recommendation should include the precedence of explicit over implicit extensions, a recommended standard extension, and the inclusion of an LDAP URL. It was agreed that the dc naming recommendation needs to make clear that HEPKI is not asking everyone with non-dc deployments to retrofit for dc naming. [AI] Jim will reword the dc naming recommendation in accordance with today's discussion, and solicit feedback via email. [AI] Bob M. will find the name of the pre-RFC document (the "flip side" of RFC 2247) that specifies how to map DNs into dc names, and send it to the TAG list.
In mobility work, Bob M. and Eric have been tracking IETF-SACRED. [AI] Eric will update Kevin on IETF-SACRED, and will send TAG some ideas on smartcards, as well as a summary of the Microsoft Crypto API angle on mobility. [AI] All those interested in participating in mobility discussions should contact Renee to be added to the mobility email list that she is setting up. [AI] Renee will let Kevin know who's currently on the mobility list. Several schools appear to be starting work with hardware tokens in a production PKI environment; Kevin noted that the mobility group is interested only in hardware tokens that make use of public keys or certs, not in secure ID cards. [AI] Ken will send the mobility list the URL for the Federal PKI TWG sessions on hardware tokens. [AI] Kevin will summarize Apple's Keychain on the mobility list.
Jim has gotten only one response so far to the draft survey of PKI deployments in higher education that he sent to the TAG list; he encouraged the group to provide more feedback. [AI] Judith will report on progress on the CA private key protection issue on the next call.
Jim noted that he has heard from several people who are wondering about TAG's plans for a HEBCA. It was agreed that the main current task in this area is to firm up the HEBCA CP; this involves talking about related technical issues such as what standards need to be in place to support the service. Michael is interested in making some short-term recommendations, such as "one BCA for higher ed". Judith has met with Jeff Schiller about BCA issues; they will be pursuing implications for software currently running. TAG agreed that it needs to coordinate with PAG on the HEBCA work; Michael, Jim, Judith, and Ken volunteered to participate in this joint effort. [AI] Eric will try to persuade Keith to participate in the TAG/PAG HEBCA work; [AI] Jim will arrange a conference call on the TAG/PAG HEBCA work, notifying the volunteers above, Eric, and (if Eric succeeds in securing his involvement) Keith. [AI] Michael will send TAG the HEBCA CP draft.
Finally the group discussed certificate profile convergence. There was general agreement on the likely necessity of the CP containing an explicit reference to a set of acceptable profiles. On the other hand, if the cert-convergence process doesn't go anywhere, it may be necessary to add a level of indirection. This raises the issue of who would be willing to deal with such indirection -- for example, would the Feds? It was agreed that TAG should ask Guida his opinion on this issue, and that PAG should take a look at it as well.
Action Items
* [AI] Bob M. will search
the PKIX list for information
on name constraints as a
policy issue.
* [AI] Judith will ask Jeff
where he wants the dc info
for the directory to go.
* [AI] Jim will reword the
dc naming recommendation
in accordance with today's
discussion, and solicit
feedback via email.
* [AI] Bob M. will find
the name of the the pre-RFC
document (the "flip
side" of RFC 2247)
that specifies how to map
DNs into dc names, and send
it to the TAG list.
* [AI] Eric will update
Kevin on IETF-SACRED, and
will send TAG some ideas
on smartcards, as well as
a summary of the Microsoft
Crypto API angle on mobility.
* [AI] All those interested
in participating in mobility
discussions should contact
Renee to be added to the
mobility email list that
she is setting up.
* [AI] Renee will let Kevin
know who's currently on
the mobility list.
* [AI] Ken will send the
mobility list the URL for
the Federal PKI TWG sessions
on hardware tokens.
* [AI] Kevin will summarize
Apple's Keychain on the
mobility list.
* [AI] Judith will report
on progress on the CA private
key protection issue on
the next call.
* [AI] Eric will try to
persuade Keith to participate
in the TAG/PAG HEBCA work.
* [AI] Jim will arrange
a conference call on the
TAG/PAG HEBCA work, notifying
the volunteers above, Eric,
and (if Eric succeeds in
securing his involvement)
Keith.
* [AI] Michael will send
TAG the HEBCA CP draft.