Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

October 8, 2003
Attendees

* Barry Ribbeck, UT-HSCH
* David Wasley, UCOP
* Jeanette Fielden, Internet2
* Neal McBurnett, Internet2
* Jim Jokl, U. Virginia
* Bob Brentrup, Dartmouth
* Mark Franklin, Dartmouth
* Steve Hannah, Sun
* Jim Jokl, U. Virginia
* Scott Cantor, OSU
* Steve Olshansky, Internet2
* Renee Frost, Internet2
* Eric Norman, U. Wisconsin
* Nathan Faut, Educause

Discussion

Steve Hannah of Sun provided a preview of the learnings from the Oasis PKI TC's survey on Obstacles to PKI Deployment and Usage. A public review will occur in November and December.

Neal shared that there is increasing interest in an approach to the USHER CA of both a lite and bridge compliant version. Work on naming the components to distinguish them in a clear way is underway.

Dartmouth is expressing interest in running USHER in combination with their bridgework. Discussions are underway. Michael Gettes has been talking to Sun, RSA and others about hardware and software.

The highest priority is getting some good specific language in a CP starting with the lite version in the next couple of months.

Eric cautioned that the KeyOn software from RSA has many extra functions that will not be needed initially.

Eric has been trying to get people more interested in support for an off line CA. KeyOn probably has an RA function but likely connects to the CA over a network. Jim pointed out that if the RA and CA are run right next to each other on a private network it in effect becomes offline.

Neal asked if there are other pieces of software that do this better? Eric does not believe there is but will report on his experiences using OpenSSL libraries. He will soon send some of the procedures documented for other protections, without buying cryptographic hardware on this machine.

Dartmouth does not have KeyOn software yet. They've got IPlanet in production and used to run Entrust software in production. They purchased iPlanet from Sun, which was renamed SunONE, before it was declared at the end of its product life. It is no longer for sale but is being supported for a couple of more years. It is very similar to the product AOL/Netscape is still selling.

There was not quorum at the last HEBCA meeting to review the latest CP draft. David disclosed the CP is specifically tailored to the bridge and is derived from higher Ed CP draft though the two need to be synchronized. He also intends to reconcile the CP with what is released by the federal government this fall.

Mail client table updates
Neal has looked at the Mutt mailer and it has a decode save and a decode copy command that can save encrypted mail in folders in an unencrypted format. The mailer works with PGP. But it does not save an unencrypted copy of outgoing encrypted mail.

Jim and Eric are updating the mail client table for the Pine and Mulberry mailers. Updating the tables would fit into the action plan that Oasis is talking about and taking advantage of the work the group is doing.

Plug-in's are needed for Eudora to handle certificates. The plug-in's are generally only available if the software has been purchased from a commercial CA vendor. Plug-in's for Tumbleweed etc. don't officially exist anymore. For MAC users the best hope is the new Mac client that will be released with S/MIME support though it won't be in the initial Panther release.

The Entrust plug-in for Eudora works with the Entrust certificate client. While the entire interface may not be needed technically to read a signature, the Eudora plug-in will likely expect to talk to the OS plug-in to work properly. It's the whole key store assembly. All the certificates, need the whole entrust interface installed in the OS in order to use their clients.

Action Items

1. [AI] Jim will send out profiles to the list to get closure on them.
2. [AI] Nathan will submit David's latest CP draft to the HEBCA site and mail the list when it's available.