Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

September 8, 2004
Attendees

* Jim Jokl (chair) - U. Virginia
* Nathan Faut - EDUCAUSE
* Nick Lewis - Internet2
* Neal McBurnett - Internet2
* Michael Gettes - Duke
* Eric Norman - U. Wisconsin
* Bob Morgan - U. Washington
* Mark Franklin - Dartmouth
* Renee Frost - U. Michigan/ Internet2
* David Wasley - UCOP
* Ben Chinowsky (scribe) - Internet2

Discussion

The group approved the minutes of the previous meeting.

The group reviewed action items:

[AI] Jim will prompt his contacts with various organizations to get endorsements for the Eudora S/MIME letter. - In process; Jim is starting to get some responses.

[AI] Jim will change the draft version of section 1.6 in the PKI-lite policy to version 1.0 and circulate to the list for final review. - Still to do.

[AI] Eric will contact Denise for input on the user portion of his Top 10 project. - Still to do.

[AI] All will send Eric suggestions for his Top 10 lists. - Still to do.

Jim noted that ARIN now supports signed email; see http://www.arin.net/registration/.

The Internet2 Member Meeting in Austin will include a BoF on campus PKI deployments; see
http://events.internet2.edu/2004/fall-mm/sessionDetails.cfm?session=1705&event=219.
[AI] Anyone who can give a 5-10 minute presentation in Austin on what they're doing with PKI on their campus, will contact Jim.

The group discussed several USHER issues:

- Neal noted that Level 1 USHER will do its own CP/CPS on the HEPKI-lite model. This will not be conformant with Federal processes.

- The main HSM options Neal is considering are 1) nCipher box with SSL, 2) etoken and SSL, and 3) using a CA that has HSM functions built in (offered by Keon). As the CA will be offline, hardware protection doesn't add that much, so the group is leaning toward 2). [AI] Neal will further investigate options for using the Aladdin etoken.

- The group discussed spare institutional certs as a possible solution to "the Christmas staffing problem" -- enabling institutions to do immediate revocation, regardless of who's on vacation. If this happens, you want the organization to be able to continue running, hence the interest in spare certs. Mark asked if this would encourage bad practice by encouraging institutions to put systems back online right after a breach -- wouldn't they just be setting themselves up to get hit again? Eric suggested that it would only be worth doing spare certs if you have independent means of key protection for the main and the spare certs. Spare certs would be distinguishable by their serial numbers and public keys; David suggested they should have different names also. There was general agreement that spare certs should be optional.

- The group reviewed Neal's list of required auditable log entries (in http://bcn.boulder.co.us/~neal/i2/crencat/usher-cps.html); there were no objections.

[AI] All will review the latest version of http://bcn.boulder.co.us/~neal/i2/crencat/usher-cps.html for discussion on the September 22 call.

Mark noted that Dartmouth is implementing online cert revocation, and asked the group if it's OK for a subordinate CA to sign revocation lists for a CA higher up in the hierarchy. Also, online cert revocation raises the possibility of a DoS attack by means of getting the CRL server to revoke everything. Dealing with such an attack would require the ability to un-revoke certs -- is there any way to do this? The group had no definite answer to these questions; Neal is pursuing them on the TAG and PKI Labs lists.
Action Items

1. [AI] All will review the latest version of http://bcn.boulder.co.us/~neal/i2/crencat/usher-cps.html for discussion on the September 22 call.
2. [AI] Anyone who can give a 5-10 minute presentation in Austin on what they're doing with PKI on their campus, will contact Jim.
3. [AI] Neal will further investigate options for using the Aladdin etoken.
4. [AI] Jim will prompt his contacts with various organizations to get endorsements for the Eudora S/MIME letter.
5. [AI] Jim will change the draft version of section 1.6 in the PKI-lite policy to version 1.0 and circulate to the list for final review.
6. [AI] Eric will contact Denise for input on the user portion of his Top 10 project.
7. [AI] All will send Eric suggestions for his Top 10 lists.