March 9, 2005
* Jim Jokl (chair) - Virginia
* Renee Frost - Michigan/Internet2
* Eric Norman - Wisconsin
* Shelley Henderson - USC
* David Wasley - independent
* Ben Chinowsky (scribe) - Internet2
Jim described a cert profile issue that has emerged with the SURA/NMI Testbed Grid PKI Bridge CA (https://www.pki.virginia.edu/nmi-bridge/). The Bridge CA needs the Authority Key Identifier field to either not be used or not contain the Issuer/Serial Number attribute. It appears that the default configuration for the Globus Toolkit's SimpleCA, which many of the campuses are using, puts Issuer/Serial Number in the AKI field. The group agreed to modify the PKI-Lite cert profile to
a) recommend using the AKI field, and
b) require that if you do so, it should contain only a hash.
The group discussed tools for the signed-documents project. Jim has been compiling a list; see http://middleware.internet2.edu/hepki-tag/new/signing.html.
[AI] Jim will follow up on a real-world Acrobat signing app he's heard of.
[AI] Shelley will ask her sysadmins list for information on applications using any of the tools on Jim's list. Further research is needed on the capabilities of these tools; the group made a list of questions that need to be considered:
1. What document formats
can the tool sign (PDF,
2. Does the tool do anything to help with the signed active content problem?
3. How does the tool handle revocation? Is it via the OS? Are CRLs and/or OCSP supported?
4. Does the tool do anything special to facilitate point-in-time signature validation and logging on receipt?
5. Is the whole certificate chain included with the signature?
6. Keystore options (e.g. operating system vs. tool-specific). Can tokens be used?
7. Does the product support signing web forms such that both the POST data from the user, and the full data needed to display what the user saw when they pushed the "sign" button, are included in the signed data?
8. What operating systems are supported?
9. How might the tool fit into the normal campus process workflow? E.g., can you specify that a document must be signed by specific people in a specific order?
10. Does the tool support multiple signatures on a document?
Finally, Eric noted that
he's talked to people at
Wisconsin about adding PKI
to their audit project.
He's hoping to know more
about this by the March
* [AI] Jim will follow
up on a real-world Acrobat
signing app he's heard of.
* [AI] Shelley will ask her sysadmins list for information on applications using any of the tools on Jim's list.
* [AI] Jim will draft a discussion of the pros and cons of hierarchical and flat campus PKIs for discussion on the March 23 call.
* [AI] All will send suggestions for presentations at the PKI deployment summit to Mark Franklin (Mark.J.Franklin@Dartmouth.EDU) and Steve Worona (firstname.lastname@example.org).
* [AI] Jeff will send Jim a Mutt column for the TAG S/MIME table.
* [AI] All will send Jim further suggestions for TAG projects.
* [AI] Jim will send mail to people who have expressed interest in various possible areas of work for TAG, and work toward finding a focus for the group.
* [AI] Eric will look for pointers on getting Mozilla to recognize trust anchors on tokens.
* [AI] Eric will review his Top 10 lists to see if they're ready to be added to the TAG web site.