S/MIME Conference Call
February 27, 2002
NOTE: Regular call schedule TBD
*Attendees*
Andrew Newman - Yale
Bob Brentrup - Dartmouth (Co-Chair)
Charles Powell - Yale
Chris Misra - U. Mass
Dan Jones - UC-Boulder
Ellen Vaughan - Internet2
Eric Norman - UW-Madison
Eric Rivas - Yale
Gary Chapman - NYU
Jim Jokl - Virginia (Co-Chair)
Leslie Tolman - Tufts
Orow Long - Yale
Saul Tannenbaum - Tufts
Stephen Wadlow - Tufts
Steve Olshansky - Internet2 (Flywheel, stand-in scribe)
Note: I may have some of the attendee names misspelled, for those not on
the Internet2 S/MIME list (see below). Please send me a mail offline to
correct the spelling of your name, for future reference.
Below is the current list (as of 5-Mar-02) of subscribers to the list
mw-smime@internet2.edu.
*** For those of you not already on the list, who hopefully have had these
minutes forwarded to you by a colleague, please send me mail with your
preferred name and e-mail address and we will get you on the list ASAP. ***
amb3@cornell.edu Andrea Beesing
bvincent@stanford.edu Bruce Vincent
charles.powell@yale.edu Chuck Powell
cmisra@oit.umass.edu Chris Misra
cramert@musc.edu Thomas Cramer
dan.jones@colorado.edu Dan Jones
echamber@socrates.berkeley.edu Eric Chamberlain
ejnorman@doit.wisc.edu Eric Norman
gary.chapman@nyu.edu Gary Chapman
gene@shalott.ots.utexas.edu Gene Titus
gettes@georgetown.edu Michael Gettes
jaj@virginia.edu Jim Jokl
kjk@internet2.edu Ken Klingenstein
lvarian@princeton.edu Lee Varian
robert.j.brentrup@dartmouth.edu Robert Brentrup
saul.tannenbaum@tufts.edu Saul Tannenbaum
steveo@luminagroup.com Steve Olshansky
tcpiket@mtu.edu Todd Piket
*Discussion*
As this was the kickoff call for the WG, we spent some time discussing our
mission and goals going forward, which will be to explore and shape the
discussion surrounding S/MIME development and implementation.
1) Why we are here:
Focused on inter-institutional S/MIME pilot, using PKI-Lite certificates,
policies, and practices.
For background see Higher Education PKI Technical Activities Group
(HEPKI-TAG) site:
- http://middleware.internet2.edu/hepki-tag
- http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pki-lite-smime-4.html
(Background on PKI-Lite S/MIME Experiment Requirements)
- http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-smime-clients-3.html
Much of the early conversation in this group will be related to
- S/MIME pilot deliverables and requirements document
- Previous testing with e-mail clients
2) Project goals
This project focused on S/MIME and interoperability.
- If things work well with PKI-Lite, will work with other heavier
versions of PKI
- Also looking at apps that will talk S/MIME beyond clients
- Focus: get this done and documented so people can use it
Phase 1 Goal: test interoperability between schools, across multiple e-mail
clients. Focused on technical staff, certs (of PKI-Lite profile or other PKI if
you are already using it)
If you don't already have a CA, several demo CAs available, links from
main HEPKI-TAG site http://middleware.internet2.edu/hepki-tag/
Phase 2 Goal: get users using S/MIME, iron out the kinks, share documentation
- do more than send signed and encrypt mail between users
CREN will work with schools who don't already have a CA, will issue certs
with some level of assurance
Difference: Phase 2 gets real users involved on your campuses
- Docs from Phase 1 available so you don't have to reinvent the
wheel for clients you choose to support
- Find some business apps (e.g. user signed mail to an app, or an app
sending signed e-mail)
- Phase 1 and 2 not necessarily sequential, can overlap
Another goal: listserv (modified Majordomo? Mailman? Symta?) that will be
able to interpret signed messages to control some of its activities.
Current listservs can be fooled by address changes
Eudora formerly supported s/mime mail with plug in but apparently no
longer supported
- Resurrect this? Work on this collectively?
Bob Brentrup (Dartmouth) has some programming resources available due to
funded project to work in this area
Email clients looked at so far overall: Netscape Messenger, Mozilla, Outlook
Windows Eudora plug-in: eval copies available, but no action in ~2 years
- No long term viable system for Eudora at the moment?
3) Campus Email client inventory (heavily used)
(Many campuses have a number of webmail users. Private key management and
portability are key issues, maybe not solvable in the near term?)
UW-Madison: Eudora (officially supported)
VA: Mulberry, Eduora (officially supported)
Dartmouth: Locally developed client - BlitzMail
Also Netscape Messenger, Eudora, Outlook
Mac OS X native mail client IMAP4 client, no S/MIME features yet
NYU: (doesn't legislate, so a variety in use)
IMP open source web mail (IMAP)
Plus Outlook, EudoraLite, Netscape
Pine diehards, not likely to go away
iPlanet mail server, comes with messenger express webmail client
(looking to upgrade iPlanet mail server v. 4 =3D> 5) (soon)
Tufts
Netscape Messenger
Outlook
Webmail hotmail etc
Pine diehards, not likely to go away
Colorado
Netscape, Outlook, Eudora (mostly Mac), IMP
U. Mass
Netscape, Outlook, Pine, IMP Webmail
Yale
Eudora, Outlook, Netscape, Pine, Homegrown webmail, Palm Eudora
growing WinCE, Outlook
UW-Madison
GroupWise users interested in participating, being told by funding
agencies to get going with secure e-mail.
4) Campus Directory Services
Q: Do you have a central namespace on campus? Do you have a central LDAP=20
Directory?
Yes to both: VA , Dartmouth, UC-Boulder, NYU, Yale, Tufts, U. Mass,=20
UW-Madison
Q: anybody using directory server other than iPlanet?
A: HEPKI demo using OpenLDAP, but other than that, no.
5) CAs available:
(who will be providing their own certs, vs using demo CAs?)
UW-Madison: iPlanet CMS, plus their own server
VA: Campus CA
Dartmouth: Entrust, iPlanet being experimented with
NYU: putting up open source and iPlanet CMS for testing, timing uncertain
UC-Boulder: institutional CA, plus can generate their own certs
Tufts: OpenSSL (not really institutional CA)
Yale: Win2K Active Directory and Cert Server
U. Mass: Open source issues own certs (CREN cert coming)
Everyone planning to issue own certs
6) Applications being used:
UW-Madison: S/MIME pilot project usability study results determined that
Eudora not usable, because there is no S/MIME support for Mac -- so
will start using Netscape messenger
NYU: looking at evolving workflow apps based on Oracle workflow
not clear yet how much e-mail associated
if there is a significant e-mail component, then will need signed
approval for transactions
Overall WG Goal: come up with some more apps/uses beyond signed/encrypted
email??
i.e. real business uses that would motivate funding sources on campuses to
support deployment
- try to keep that goal in mind, along with tech questions as we move forward
- drive technologies to be deployed on campuses - e.g. mailing lists:
- alleviate authz problem
- rely on msg sig to make authz decisions
- moderator would not have to moderate posters to lists (may still have to
moderate content)
- when delivered to end user, would msg be signed?
- whose/how many public keys would be needed to send the msg?
Q: Are there changes we should make to project outline/scope in
requirements doc (from HEPKI-TAG)?
- if something comes to mind send it to the list for discussion
- time to change things later
-interplay between dig signed mail and webmail is going to be interesting
- much harder problem with PKI
- maybe impossible? can=92t do digital signatures?
- non-repudiation argument difficult?
-secure co-processor (Dartmouth has a student looking at this)
- server to get involved in signing process?
- goal is to establish channel across long distance, as if sitting on your desk
7) Docs in progress:
Bob Brentrup(Dartmouth): Netscape and Outlook docs in progress
Eric Norman (UW-Madison): Netscape and Eudora
E.g. CMU doc on using PGP: Why Johnny can't encrypt
- basic explanation for users would be very helpful
Need for client docs in Phase 1 not so critical, but for Phase 2 (normal
users) much more important to have help files
- FAQ site
- Screen shots, step by step
- load certs
- sign and encrypt
- w/o key escrow, could possibly lose access to Sendmail?
- understand reasons to use and risks
*Action Items*
1. [AI] 27-Feb-02 (All): collect and send names of initial testers to
SteveO (Note: assumption is that this group will consist primarily of
technical staff from the respective campuses) [Due: by 13-Mar or earlier if
possible]
2. [AI] 27-Feb-02 (All): determine which e-mail client(s) you wish to test
initially on your campuses and send to the list (prioritized if
appropriate) for discussion. [Due: by 13-Mar if possible]
3. [AI] 27-Feb-02 (Steve, Jim) Coordinate schedule for next call, regular
schedule ongoing [Due: ASAP, by 8-Mar if possible]
4. [AI] 27-Feb-02 (All) For those schools who already have their test or
production CAs set up now, send root certs to Jim to get into repository.
Others, when you are ready. [Due: ASAP, by 8-Mar if possible]
5. [AI] 27-Feb-02 (All) If you have any existing in-house S/MIME client
docs that you are ready to share (beyond vendor-provided help files),
please send to the list. [Due: ASAP, by 8-Mar if possible]
6. [AI] 27-Feb-02 (Jim) mail out cert repository URL to the list [Due: 7-Mar]