Internet2 PKI Labs Conference Call, September 10, 2001

*PKI Labs Conference Call*
September 10, 2001

*Attendees*

Neal McBurnett (convener)

Ed Feustel - Dartmouth
Bob Brentrup - Dartmouth
Sean Smith - Dartmouth

Keith Hazelton - Wisconsin
Eric Norman - Wisconsin
Juanita Hung - Wisconsin
Todd Tannenbaum - Wisconsin

Steve Bellovin - AT&T
Bob Moskowitz - ICSA Labs/TruSecure
Peter Honeyman - Michigan
Ellen Vaughan - Internet2
Carl Ellison - Intel
Vishwa Prasad - AT&T

Ben Chinowsky (scribe) - Internet2

*Discussion*

The minutes of the previous meeting were approved without changes.

Ed observed that Microsoft seems to be getting rid of Netscape-style plugins in Internet Explorer; it was noted that CryptoAPI v2.0, unlike v1.0, does provide a certs-management interface. Ed asked about means of enabling servers to get information from client cert stores, and Peter referred the group to implementation experience discussed in a recent paper that Olga Kornievskaia presented at Usenix; see http://www.citi.umich.edu/techreports/reports/citi-tr-01-5.pdf. [AI] Ed will forward to the PKI Labs list information he sent HEPKI-TAG on the UT-Houston certs deployment.

Most of the call was devoted to issues raised by ongoing PKI Labs work at Dartmouth and Wisconsin. Dartmouth has just posted an update; see http://www.cs.dartmouth.edu/~pkilab/sep.shtml. Sean described Dartmouth's secure box office server project as "low-hanging fruit". Another recent focus has been figuring out how to get certs from LDAP servers to browsers in a useful format, confronting the user with appropriate questions but requiring them to do as little as possible. [AI] Eric will a) investigate and document a problem that Ed has encountered with using PKIUser objects to get certs from LDAP directories (what the user sees in the retrieved cert is only a fingerprint, not cert details), and b) send Ed information on his experience with cert retrieval using Internet Explorer. Ed stressed the importance of making this process as painless as possible: "The average student isn't going to spend more than ten minutes figuring out how to get the certs."

Todd outlined work that the Condor group at Wisconsin is doing with certs in the Grid Security Infrastructure. In particular, they are working on the creation and management of proxy certs for batch processing; see http://www.cs.wisc.edu/pkilab/condor/. Todd said that they are tending toward a Kerberos-like approach; [AI] Peter will send Todd references to his work on Kerberos/PKI integration. Bob Morgan pointed out that this is a manifestation of the more general long-running-job problem, which has been worked on for years, and Todd noted that "as we use it more and more, the same old problems get revisited". Ed touched on the same back-to-the-future theme in reference to Sean's work on spoofing requests for passwords as a means of attacking the key store: "it's amazing how many things from the Orange Book come back to haunt us." [See http://www.dynamoo.com/orange/.] Juanita reported that the Wisconsin secure email usability study is "on the brink of getting human subjects"; they are hoping to start issuing certs on September 24. This project is experiencing some interoperability problems; in this connection Ed noted that Dartmouth is considering phasing in use of a single email client for everyone, and Bob Morgan argued that "you will lose" if you require people to change their email clients.

The group briefly revisited the JPEGs-in-certs issue raised on the last call. Bob Morgan noted that while the original proposal in question did include pictures of individuals, the proposal as approved is limited to logotypes; see http://www.ietf.org/internet-drafts/draft-ietf-pkix-logotypes-00.txt. Bob writes that "The idea is that corporate identities as dealt with by the public are more about specific visuals than about text: the Coca-Cola script, the golden arches, etc. So certs should be able to have secure images (actually just the hashes) in them, just as business cards and letterhead have corporate logos. And it would mostly be issuers who would have these, not end-entities, especially not human users."

Finally Eric asked if anyone knew of a software equivalent to Sean's work on secure coprocessors, that is, a software approach to the problem of how to do trusted computation on a non-trusted machine. Carl said that the main problem here is that an entropy source is needed, and software can't create entropy. Sean pointed to the work of Cybenko at Dartmouth, but noted that this is still "a pretty theoretical area". [AI] Eric will work on making his demo cert-issuing site more widely available.

The PKI Labs conference has been rescheduled, tentatively for April 24-25; watch http://www.cs.dartmouth.edu/~pki02/ for details. The next PKI Labs call will be at 2pm EDT on October 15.

*Action Items*

[AI] 10-September-2001 - Ed will forward to the PKI Labs list information he sent HEPKI-TAG on the UT-Houston certs deployment.
[AI] 10-September-2001 - Eric will a) investigate and document a problem that Ed has encountered with using PKIUser objects to get certs from LDAP directories (what the user sees in the retrieved cert is only a fingerprint, not cert details), and b) send Ed information on his experience with cert retrieval using Internet Explorer.
[AI] 10-September-2001 - Peter will send Todd references to his work on Kerberos/PKI integration.
[AI] 10-September-2001 - Eric will work on making his demo cert-issuing site more widely available.
[AI] 13-August - Eric will put Carl in touch with someone he knows who's working on an access control project for the Swedish Army.
[AI] 13-August - Carl will send the list information on a new cert generator project.
[AI] 13-August - Bob Moskowitz will forward Ken email on PKI work at Fannie Mae.
[AI] 13-August - All will send Ken any information they have on organizations that might be interested in participating in the PKI Research Conference.
[AI] 16-July - As soon as he is able, Ken will issue a call for submissions for the PKI conference.
[AI] 4-June - Bob Moskowitz will send the list information on Federal work related to attribute certs.
[AI] 4-June - Ken will ask Rich Guida, Jeff Schiller, Stefan Brands, Peter Alterman, and Tim Polk to serve on the program committee.
[AI] 4-June - Keith will ask Larry Landweber to serve on the program committee.
[AI] 4-June - Keith will have the grad student maintaining the Wisconsin PKI Lab web site notify Dartmouth when the site is updated.
[AI] 4-June - Keith will organize a joint Shibboleth/PKI Labs conference call to talk about overlap and cooperation between the two projects.