HEPKI S/MIME Project Minutes: March 14, 2002


S/MIME Conference Call
March 14, 2002

* Attendees *

Tim O'Connor - New York University
Chuck Powell - Yale University
Morrow Long - Yale University
Chris Misra - University of Massachusetts
Saul Tannenbaum - Tufts University
Bob Brentrup - Dartmouth University (Co-Chair)
Jim Jokl - U. Virginia  (Co-Chair)
Steve Wadlow - Tufts University
Eric Norman - UW-Madison
Neal McBurnett - Internet2
Todd Piket - Michigan Tech University
Steve Olshansky - Internet2
Natalie Chin - U. Colorado Boulder (scribe)


** Discussion **

Before the call, SteveO sent out an email with a list of people who are 
currently subscribed to the S/MIME email list.  He wanted to verify that 
everyone who wanted to be was subscribed to the email list. Steve urged 
those on the call to review the list and send names of colleagues who 
should be on the list to him, so that he can add them as soon as possible.

Jim Jokl asked if there were any items to be added to the agenda.  Bob 
Brentrup mentioned that he is still looking for members of the WG to send 
names of the testers on their respective campuses.  Additionally, he 
proposed the idea of a second email list to supplement the existing list, 
solely for the testers.  Next, Tim O'Connor brought up the issue of end 
user certificates.  He was inquiring about which certificates should be 
used and if there existed a general consensus about any of the available 
certificates.

The minutes of the last meeting were approved. The current process is to 
have the minutes posted on the web after they are accepted.  Jim asked if 
anyone objected to posting the minutes online. Since there were no major 
objections SteveO will arrange for this.

The first AI to be discussed was the collection of the names of potential 
testers.  Jim did not receive much response to this to date, so he asked if 
people aren't ready, if names aren't necessary at this point, or are people 
too swamped with other work.  The group agreed to work toward that goal as 
soon as practical.

Jim suggested that a second list be created for testers and that the 
campuses select which users should be subscribed to the appropriate 
lists.  The existing list would be for project management and broader 
technical issues, while the second would be used for testers and interested 
users.  It wouldn't include overly technical information.  A suggested name 
was mw-smime-testers.   SteveO reminded everyone that only people 
subscribed to the list could post messages to the list.  It was agreed 
that both lists will be archived.

The previous action item concerning the email clients that should be used 
during the trial was reiterated.  SteveO asked that this AI be taken 
offline and completed via emails sent to him and he will then compile a 
list of clients.

A suggested day/time for the regular call schedule is every other Thursday 
2:30 PM EST, starting with the next call Mar. 28. SteveO will propose this 
to the list for approval.

The delay in completing some of these action items is causing some concern, 
so the discussion turned back to a reasonable deadline for these action 
items to be completed.  Phase I is to obtain certificates and find testers 
to begin using the S/MIME technology and determine any interoperability 
issues.  A two-week timeframe to really get started was proposed. Jim asked 
the participants in the call to start signing their mails to the list. A 
list of freely available test CAs will be distributed. Alternatives include 
Black Helicopter, UW-Madison, and CREN.

It was observed that signing-only certificates can cause problems for 
Outlook which cannot load signing-only certificates.  Thus, most Outlook 
users have given up and use one certificate for both functions.

It was brought up that people will want to recover encrypted documents from 
the past or from users who are no longer available to open those 
documents.  Thus, later access to the encryption key could be more 
important than the signing key.  However, this discussion of S/MIME 
encryption was saved for the next call.

Tim has a couple testers using the free VeriSign certificates.  Some are 
longtime users of PGP for internal purposes. Eric inquired if VeriSign was 
similar to Black Helicopter, which is a dependable certificate and can work 
for testing purposes.  He believed there was a certain amount of time that 
the VeriSign certificate was usable, possibly 60 days.  Tim responded that 
he received a 365-day validity.

Tim described his experiment with OpenSSL.  He posed as a root CA by making 
root certificates and signing them.  Next, he acted as if he were the 
user.  It worked and he got user certification.  However, he never got any 
farther because he was unable to find any client software that would work 
with those certificates.  He attempted to use Mozilla and import the 
certificate.  However, it asked for the password under which it was 
exported.  Tim tried all passwords, but could not get the process to 
work.  Jim believes that it should work fine.  Eric hasn't had problems 
using OpenSSL.  Tim stated that he would continue his processes and 
document the problems he encountered.

Eric suggested that everyone use certificates from different vendors and 
that will allow them to document interoperability problems.  Jim is using 
the VeriSign certificates because he wants to ensure that the profile meets 
the needs of all other clients.  The two Outlooks and Netscape work 
fine.  There are not too many interoperability concerns with these two 
software packages.  It was recommended to choose PKI support so that 
testing in many different environments is available.

There is a great deal of useful information on the HEPKI-TAG site:  
http://middleware.internet2.edu/hepki-tag/

Eric heard rumors about upcoming S/MIME support in Evolution, the X-Windows 
based mail client for Linux. It is a good client, however it doesn't 
currently support S/MIME.  Tim uses Linux most of the time, with the Mutt 
text-based mail client, which works seamlessly with PGP.

S/MIME support is soon to be added. Neal said the extant Mutt patches were 
for S/MIME version 2, and that may cause interoperability issues with 
S/MIME version 3 clients. It was noted that users will want integration 
with their address books, etc.

*Action Items*

1. [AI] 27-Feb-02 (All): collect and send names of initial testers to 
SteveO (Note: assumption is that this group will consist primarily of 
technical staff from the respective campuses) [Due by next call 28-Mar-02]

2. [AI] 27-Feb-02 (All): determine which e-mail client(s) you wish to test 
initially on your campuses and send to the list (prioritized if 
appropriate) for discussion. [Due by next call 28-Mar-02]

3. [AI] 27-Feb-02 (All) For those schools who already have their test or 
production CAs set up now, send root certs to Jim to get into repository. 
Others, when you are ready. [Due by next call 28-Mar-02]

4. [AI] 27-Feb-02 (All) If you have any existing in-house S/MIME client 
docs that you are ready to share (beyond vendor-provided help files), 
please send to the list. [Due by next call 28-Mar-02]

5. [AI] 27-Feb-02 (JimJ) mail out cert repository URL to the list [Due: 
19-Mar-02]

6. [AI] 14-Mar-02 (SteveO) create new list for use by and for the testers, 
separate from the conversation happening on this list. Users may 
self-select and subscribe to either or both, and must be subscribed to send 
to the list. Details will be sent out as soon as this list is setup. [Due 
19-Mar-02]

7. [AI] 14-Mar-02 (JimJ) {Done} Send list of CAs that can be used on the 
S/MIME project to the list.