HEPKI S/MIME Project Minutes: April 11, 2002


S/MIME Conference Call
April 11, 2002

*Attendees*

Andrew Newman - Yale
Morrow Long - Yale
Gary Chapman - NYU
Steve Wadlow - Tufts
Chris Misra - U. Mass
Jim Jokl - Virginia (Co-Chair)
Steve Olshansky - Internet2
Renee Frost - Internet2
Eric Norman - UW-Madison
Michelle Gildea - CREN
Brent Zionic - scribe

*Discussion*

   We began with the Monday May 6th 3-5pm S/MIME session at the 
Internet2 Spring Member meeting in Arlington, VA.   Renee pointed out that 
the entire schedule is up on the Internet2 web site now.

   Next we discussed ideas for the user FAQ.  During the course of this 
discussion, Jim tried to determine who the audience for the FAQ is going to 
be.  Should it be targeted to the initial set of testers, or for a more 
general overall audience?  Most people submitted that it should be for 
both.  The brainstorming session produced the following suggested topics:

1. S/MIME v. PGP.
Strengths and weaknesses... How can we differentiate these? Perhaps by 
saying PGP is more appropriate for individual use, focuses more on personal 
attributes that are shared between individuals, no hierarchical trust model.

S/MIME is better suited for an organizational deployment, utilizes some 
Certificate Authority environment where you rely on out-of-band signings. 
(However, Eric pointed out that PGP also has a commercial version of their 
product -- but it is not free.) Also, some people reported scalability 
problems with PGP. It should also be mentioned that S/MIME-capable clients 
are already widely deployed.

2. How does S/MIME relate to HIPAA? Several medical centers are considering 
S/MIME (SteveO: can we verify this?). Additional issues related to 
non-repudiation (i.e. in the context of malpractice complaints), practical 
usage for clinician-patient communications

3. Risks - Encryption, key escrow, (more)

4. "S/MIME Cookbook." (Later)
For instance, this may include a method or flow documents describing how to 
get encryption keys and so on. It might also include a phased approach on 
how to design for implementation. Eric Norman pointed out that this might 
help testing centers get up to speed more quickly. Michelle noted that CREN 
has a similar "cookbook" (Guidebook for Content to Digital Access Pilot) 
underway, and will notify the list when it is ready for review.

5. Getting started - for testers (campus-based to start)
- What are the components of S/MIME?
- What is the difference between encrypted and signed messages?
- How to get a cert

6. S/MIME use for mailing lists.

7. How to get started with S/MIME
This could address the incorrect assumptions about how signed and encrypted 
messages work, or what the requirements are. Are there required commercial 
components or proprietary technologies, or services offered by certain 
companies that are required? Or can you "roll your own"? OpenSSL v. Cert 
Mgmt packages. Support concerns if not using commercial products.

8. Export restrictions
What are the right clients to be using in order to address export 
restriction issues?

   Everyone was encouraged to contribute more ideas for the FAQ or to 
donate some time to attempt writing up entries.  A large part of the call 
focused on this brainstorming and question of audience.

   Jim ended the call with an open question on how to speed up the 
implementations.  He wondered if it is the lack of user documentation and 
the FAQ, or the  lack of resources that are the reasons for the slow 
progress to date.  Suggestions and ideas were solicited for discussion on 
the list.

*New Action Items*

1. [AI] 11-Apr-02 (Eric Norman): Take a look at the PGP plug-in for Eudora and
see if it can be used.  SteveO can help in looking for the source code
at MIT, and Steve Wadlow has contacts at MIT which might be able to help.

2. [AI] 11-Apr-02 (All) Each site will work to determine the minimum 
requirements needed to move forward with deployment. (Note: goal is to work 
toward overcoming roadblocks, and help each other if at all possible)

*Old Action Items*

1. [AI] 28-Mar-02 (All): Reach consensus ASAP re: sending and receiving 
encrypted messages to the lists, so we can add it to the FAQ that is being 
compiled for the testers.
         Ongoing.

2. [AI] 28-Mar-02 (All): continue to consider recommendations for Phase II 
applications
         Ongoing.

3. [AI] 28-Mar-02 (Michelle): contact WorldTalk/Tumbleweed to discuss 
open-sourcing Eudora S/MIME plugin.
         Michelle spoke with them and is waiting to get a response.

4. [AI] 28-Mar-02 (All): send suggested links for the S/MIME webpage to SteveO

5. [AI] 28-Mar-02 (SteveO, Jim, Bob, TBD): compile FAQ for website 
(Volunteers welcome and encouraged, contact SteveO)
         Ongoing.

6. [AI] 27-Feb-02 (All): collect and send names of initial testers (still 
in progress, many have not responded yet)
         Still waiting -- some institutions are just getting to this now.

7. [AI] 27-Feb-02 (All): determine which e-mail client(s) you wish to test
         Still in progress, many have not responded yet.

8. [AI] 27-Feb-02 (All) For those schools who already have their test or 
production CAs set up now, send root certs to Jim to get into repository if 
you have not already done so.

9. [AI] 27-Feb-02 (All) Send to list if you have any existing in-house 
S/MIME client docs that you are ready to share. Be sure to note if you are 
comfortable sharing this information on the Web