April 19th 2004

Presentations will be posted at: http://events.internet2.edu/2004/spring-mm/sessionDetails.cfm?session=1415&event=203 when received.

Ann West of Educause/Internet2 gave a presentation on the Authentication Roadmap and its proposed components. The Enterprise directory implementation roadmap was released in NMI release R3 last year which is located at : www.nim-edit.org. The next step is to work up through the enterprise middleware components to authentication. There is not a lot out there right now for campus recommendations regarding authentication. A group has been put together to start assembling best practices for authentication. The idea is for campuses to come in, look at the scenarios and evaluate where they fit within them and identify issues. Let Ann know (awest@internet2.edu) if you're interested in participating. Ann is soliciting feedback on drafts and will coordinate with Jim Jokl, the HEPKI-TAG working group chair, about forwarding materials to the HEPKI-TAG list for review.

Steve Hanna of Sun Microsystems and co-chair of the OASIS PKI technical committee (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pki) talked about the Oasis PKI - Action Plan and provided an overview of the PKI survey conducted by OASIS and the resulting five-point action plan located at: http://www.oasis-open.org/committees/pki/pkiactionplan.pdf

The top five obstacles to PKI deployment and usage identified by the surveys are:

1. Software Applications Don't Support It
2. Costs Too High
3. PKI Poorly Understood
4. Too Much Focus on Technology, Not Enough On Need
5. Poor Interoperability

They then created an action plan to address how to overcome those identified obstacles.

1. Develop action guidelines for PKI use.
2. Increase testing to improve interoperability
3. Ask application vendors what they need
4. Gather and Supplement Educational Materials on PKI
5. Explore Ways to Lower Costs

He emphasized that is important for institutions to sign onto the action plan, so vendors will realize that customers do want it. Send Steve e-mail at steve.hanna@sun.com to sign on as a supporting institution after reviewing the action plan.

The question was asked about downloading and installing a certificate to experiment with for those who don't have means to procure a certificate, or don't really understand what it takes to create a self-signed cert? Mark Franklin of Dartmouth is working on a CA in a Box to help people get up and running with PKI.

Steve also discussed a new open source project, Lib PKIX, at SUN in conjunction with Dartmouth, which is a C library for building and validating x.509 certificates. An obstacle for application vendors is they don't want to write it themselves or buy/license from someone else especially for something like OpenSSL. They are working on a C version and are in discussion with Mozilla, OpenSSL, and others. There is a lot of interest in the library. Institutions can help. There are interesting research issues for graduate students concerning revocation techniques, path building etc, there are also coding opportunities. Email Steve at steve.hanna@sun.com for information.

Jim Jokl, the chair of the HEPKI-TAG working group, asked what topics are institutions interested in?

There were two common threads in the responses:

1. many institutions are looking to learn how to get started on PKI, and
2. what applications will help drive adoption of PKI.

Jim talked the PKI-lite materials on the HEPKI-TAG web site to help people get started. Traditionally PKI is thought of as high assurance, hard to implement and expensive. PKI lite is a less difficult version to begin with. Information on PKI-lite can be located at: http://middleware.internet2.edu/hepki-tag/#PKI_Lite

Applications such as wireless networks and resource access may help drive PKI adoption.

Jim presented several slides outlining HEPKI-TAG areas of work.. One is USHER: the US Higher Education Root CA. The idea is if there is a hierarchical CA with many schools sharing the same trust root and how it should be organized. This derives from the CREN root that is no being handled by Internet2. There is also work on the InCommon CA for the InCommon CA to issue certificates for use with Shibboleth.

The HEPKI-TAG site is located at http://middleware.internet2.edu/hepki-tag. There are sections on Open Source Software, S/MIME, profiles, practices statements, PKI-lite and USHER, as well as additional related topics. Another site with relevant information is http://pki-dev.internet2.edu Jim will e-mail URL's out to people who signed the list at the BoF.

To participate in the HEPKI-TAG working group please contact Jim at jaj@virginia.edu