PKI Labs Conference Call, November 11, 2002

*PKI Labs Conference Call*
November 11, 2002

*Attendees*

Neal McBurnett (convener) - Internet2
Stefan Brands - Credentica
Carl Ellison - Intel
Eric Norman - Wisconsin
Bob Morgan - Washington
Lisa Hogeboom - Internet2
Ben Chinowsky (scribe) - Internet2

*Discussion*

This call was devoted to the current status of, and possible next steps for, Stefan Brands' work on Digital Credentials. Stefan pointed the group to several of his writings on how Digital Credentials work and why they are needed:
- Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy, an in-depth technical treatise that began life as Stefan's Ph.D. thesis. See http://www.credentica.com/technology/book.html
- a much shorter technical overview: http://www.credentica.com/technology/overview.pdf
- a non-technical introduction: http://www.ercim.org/publication/Ercim_News/enw49/brands.html
- an architectural overview of Credentica's Credential Management Platform: http://ls6-www.cs.uni-dortmund.de/issi/cred_ws/papers/brands.pdf
- "Secure Access Management: Trends, Drivers, and Solutions", included in the October 2002 Elsevier Information Security Technical Report, explains how Credentica views the market for Digital Credentials.

Stefan noted that his work is strongly inspired by David Chaum's work in the 1980s.

Stefan joined Zero-Knowledge systems in February 2000 in hopes of implementing the ideas set out in his book, but the market crash two months later meant that his approach never got out of research. He left Zero-Knowledge in August 2001; most of the people he worked with there left also, and in January of this year he got together with three of them to form Credentica.

Stefan's criticisms of X.509 are at the level of cryptographic fundamentals rather than PKI architectures. X.509 was developed for identity certs for person-to-person encryption, and while it might be possible to extend X.509 for single-domain access management, X.509 certs are not appropriate for access management across multiple domains. Credentica's focus is on digital access management across multiple trust domains.

Stefan observed that while there is a lot of awareness of what Digital Credentials can do, this awareness is mostly limited to the technical and privacy/legislative communities. All the patents are in Stefan's hands; he acknowledged that he gets criticism for this, but pointed out that without controlling the patents he can't get the venture capital he needs to work on getting the technology implemented in the real world, which is now his central concern. Stefan stressed that he is open to suggestions on furthering real-world deployment, and that he has no problem with making the technology available for free under specified conditions, at least for academics. Credentica is aware that there is a need to get larger forces involved in pushing this technology; they want to "work with bigger organizations in a way that makes sense for everybody, and try to do the right thing." Credentica is currently exploring a pilot phase with various local governments in the context of e-government; this looks to be a slow but steady deployment path.

Bob noted that the Shibboleth project has gotten a lot of interest from libraries; there was general agreement that Digital Credentials and Shibboleth attempt to address some of the same privacy and security concerns. Credentica is very interested in doing pilot projects along the lines of Shibboleth's work with the libraries. A Digital Credentials toolkit in currently in alpha. Mike Rosing at Wisconsin and Sean Smith's group at Dartmouth were suggested as likely collaborators in piloting Digital Credentials.

Bob also observed that Digital Credentials are unlikely to make headway in communities he's familiar with unless the technology is standardized. There was general agreement that IETF, rather than IEEE or ITU, is likely to be the best forum for standardization, though this would require turning Digital Credentials into a protocol. Carl urged Stefan to adopt "the SSH model: give it away, people love and adopt it, then standardize" -- but, given Stefan's patent concerns, to give it away only for specified applications. Stefan expressed interest in pursuing this approach, with digital rights management as the application. [AI] Stefan will contact John Ericson of HP to explore the possibility of standardizing Digital Credentials in IETF.

The next PKI Labs meeting will take place on December 9 at 4:00 PM Eastern, per the regular schedule.

*Action Item*

[AI] Stefan will contact John Ericson of HP to explore the possibility of standardizing Digital Credentials in IETF.