*PKI Labs Conference Call*
July 15, 2003
*Attendees*
Neal McBurnett (convener) - Internet2
Sean Smith - Dartmouth
Jeff Schiller - MIT
Nelson Hastings - NIST
Carl Ellison - Intel
Krishna Sankar - Cisco
Lisa Hogeboom - Internet2
Ben Chinowsky (scribe) - Internet2
*Discussion*
The minutes of the previous meeting were approved without changes.
Informational items:
- Sean called the group's attention to a Bugtraq discussion of borderless popup
windows being used to spoof Internet Explorer; the attack resembles one being
investigated in the web spoofing work at Dartmouth. See
http://www.securityfocus.com/archive/1/329014/2003-07-11/2003-07-17/1
for details.
- Sean noted that universities are starting to get letters from lawyers for
Acacia Media, claiming that the universities' use of streaming video to put
courses online infringes Acacia's patents.
[Background: http://news.com.com/2100-1023_3-983552.html]
- In recent work with Jesse Walker, Carl has been applying analytical tools to
human interactions ("ceremonies") as components of security protocols. Carl
presented this work for the first time at a recent summer institute
(http://research.microsoft.com/projects/SWSecInstitute/), and is working
on a writeup.
- Jeff has been looking into the identity-based encryption (IBE) system
developed by Voltage Security (see http://www.voltage.com/technology/ibe.htm).
While recognizing the advantage provided by IBE's ability to send encrypted
mail without prior contact, Jeff noted that Voltage provides no nonrepudiation
whatsoever, and that authentication to the key server, which knows all the
private keys, is left as "a local matter". There are different ways to do IBE
that may mitigate these problems; [AI] Jeff will forward email giving more of
his thoughts on IBE. Carl observed that because IBE lets you generate a public
key for anyone in the world, name collisions are likely to be a problem.
The group discussed plans for next year's PKI Research Workshop (PKI04). Krishna has agreed to chair. There is general agreement that the most interesting papers in previous workshops have been those concerned with real-world deployments; Sean suggested that PKI04 try to build on these successes by pursuing a more practice-oriented emphasis, like the PKC workshop series (http://www.ipkc.org/). On the other hand, Neal pointed out that we want to keep PKI04 a research workshop, not make it into a showcase for "incremental improvements." Carl expressed concern that the workshop not "degenerate into an X.509 discussion group," and suggested describing the subject of the workshop as "all authentication and authorization using public key cryptography." Carl also suggested including a security analysis of federated identity, comparing it to the various individual identity systems it is being put forward to replace. [AI] Krishna, Neal, Sean, Jeff, and Carl will serve on the PKI04 program committee and recruit others to do likewise. [AI] Krishna will draft a Call For Papers for PKI04. [AI] Neal will look into getting IFIP TC8 as a PKI04 co-sponsor. [AI] Krishna will look into getting Sun and OASIS as PKI04 co-sponsors.
Finally, the group agreed to a new schedule for PKI Labs calls: 4:00 PM Eastern time on the third Tuesday of each month. Accordingly, the next call will take place at 4:00 PM Eastern on August 19.
*Action Items*
[AI] Jeff will forward email giving more of his thoughts on IBE.
[AI] Krishna, Neal, Sean, Jeff, and Carl will serve on the PKI04 program
committee and recruit others to do likewise.
[AI] Krishna will draft a Call For Papers for PKI04.
[AI] Neal will look into getting IFIP TC8 as a PKI04 co-sponsor.
[AI] Krishna will look into getting Sun and OASIS as PKI04 co-sponsors.