Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Conference Call

February 9, 2005
Attendees

* Jim Jokl (chair) - Virginia
* Bob Morgan - Washington
* Mark Franklin - Dartmouth
* Eric Norman - Wisconsin
* Jeff Schiller - MIT
* Neal McBurnett - Internet2
* Ken Klingenstein - Colorado/Internet2
* Nick Lewis - Internet2
* IJ Kim - Internet2
* Ben Chinowsky (scribe) - Internet2

Discussion

Updates from Ken:
- A common "storefront" is being set up to perform the RA function for InCommon, USHER, and HEBCA. Pricing will be set for cost recovery; InCommon membership is starting out at $700 to join plus $1000 yearly. There may also be packaging -- e.g., join InCommon and get a free USHER cert.
- Due to continuing claims on CREN's intellectual property, Ken asks that all cease referring to USHER as "the CA formerly known as CREN."
- Ken is pursuing funding for work on federated digital signatures. This looks promising; the Federal Government is interested in having us get this working on the campuses, then bridge to them later. PESC is also interested in experimenting with federated signatures. Jeff expressed concern that this work could play into the hands of those who want to greatly increase the liability involved in using a cert, so that "when I get my cert I'm giving power of attorney to my PC." Bob and Ken argued that these concerns could be addressed in this new area similarly to how they are addressed with existing uses of certs.
Ken wrapped up by stressing that TAG's input is crucial both to USHER and to the federated signatures work, especially where the Federal Government is involved. The group reviewed the latest draft of the PKI-Lite CP/CPS (http://pkidev.internet2.edu/pki-lite-policy-practices-4-4.doc). Eric will send further changes to the TAG list [done Feb. 12]. [AI] Jim will further revise the PKI-Lite CP/CPS (sections 1.4, 1.6, and 1.7 in particular), label it "Version 4.5" instead of "Draft 4.4", and send it to the list for approval. Jim reported that Qualcomm is in fact going to do an S/MIME implementation for Eudora. They are still reviewing our docs, but so far our High and Medium priorities line up with theirs.

Finally, Mark suggested that TAG produce recommendations for a generic hierarchy that schools who want to get on USHER could implement. Eric observed that as the big hassle in the event of a disaster is reissuing certs to all the students, the CA that issues those certs should be a subsidiary --that way if it's compromised, it won't impact the root and require reissuing of the USHER cert.
Mark observed that most schools seem to have implemented hierarchies; on the other hand, Dartmouth has just one CA, and it's online. Jeff noted that MIT has two CAs, an offline server and an online client; not doing hierarchies wasn't a deliberate decision, as they just didn't work at the time MIT's CAs were set up.
MIT has considerable experience with replacing certs using this setup. Mark described MIT's approach to CA placement as "nearline" -- the CA is hard for hackers to reach, but cert issuance is still automated. There was general agreement that both hierarchical and flat approaches have their advantages.
[AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on the Feb. 23 call.
Action Items

(new)

* [AI] Jim will further revise the PKI-Lite CP/CPS (sections 1.4, 1.6, and 1.7 in particular), label it "Version 4.5" instead of "Draft 4.4", and send it to the
* list for approval.
* [AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on the Feb. 23 call.

(from previous calls)

* [AI] Jeff will send Jim a Mutt column for the TAG S/MIME table.
* [AI] Eric will ask Scott Fullerton if he wants to work on internal CA audit requirements.
* [AI] All will send Jim further suggestions for TAG projects.
* [AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.
* [AI] Eric will look for pointers on using trust anchors on tokens.
* [AI] Eric will contact Denise for input on the user portion of his Top 10 project.
* [AI] All will send Eric suggestions for his Top 10 lists.