Internet2 PKI Labs Conference Call, July 16, 2001

*Internet2 PKI Labs Conference Call*
July 16, 2001

*Attendees*

Neal McBurnett (convener) - Avaya

Bob Brentrup - Dartmouth
Ed Feustel - Dartmouth
Sean Smith - Dartmouth

Todd Tannenbaum - Wisconsin
Keith Hazelton - Wisconsin
Eric Norman - Wisconsin
Ryan Muldoon - Wisconsin

Olga Kornievskaia - Michigan
Bob Moskowitz - ICSA Labs/TruSecure
Bob Morgan - Washington
Renee Frost - Michigan/Internet2
Vishwa Prasad - AT&T
Steve Bellovin - AT&T
Carl Ellison - Intel

Nate Klingenstein (scribe) - Internet2

*Discussion*

- PKI, lightweight substitutes, and the Web -

If PKI is slow to evolve, what large-scale authentication scheme will take its place in implementations? SOAP, UDDI, IPsec, and XML-DSig are all buzzwords in a list of popular security solutions from which PKI is conspicuously absent. The group considered the relative strengths and weaknesses of these protocols and why they had been more successful than PKI. Bob, "having seen flame wars gone by on several fronts," observed that the major current distinction is between "people who think intermediaries twiddling with data along the path is necessary or good, and people who think that's the path of chaos and damnation."

Steve took a "purely mercenary view," arguing strongly that there is no likelihood that any end-to-end trust relationship such as PKI will become popular soon. IPsec is capable of end-to-end encryption, but this is not widely implemented due to difficulties in routing and firewall issues, and the "bottom line is that...IPsec pki is lowercase, not uppercase." He noted that 75% of backbone content is web traffic, and that running HTTPS instead of HTTP is roughly 12-15 times more expensive for the operator of a web server when cycles and bandwidth are calculated. While there are processor cards expressly designed for HTTPS, this is an additional cost as well. Steve also noted that much of web traffic is very promiscuous, making usage of certificates too difficult for such brief exchanges. To his thinking, if there is any web space in which security can flourish, it will be sensitive information between recurring customers.

- institutional updates -

Keith has talked with the University of Texas about PKI, which has attempted to go quite a ways toward implementation. [AI] He will bring in representatives for a Q&A session for a future call. While it was observed that several universities had initially expressed interest, there is little visible activity. Ed mentioned that Georgia State University, the University of Virginia, and Princeton University are all moving forward.

Dartmouth University's web spoofing research group (http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/) has issued a draft technical report discussing techniques tried and relative successes. The Dartmouth contingent reported that they have been successful in forging virtually all the indications common browsers give that the user is accessing a particular site through SSL: "the lock becomes locked, the security button gives you security information, the SSL box comes out, and the name appears in the location box." They also indicated that the forgery was not difficult to perform once it was figured out. It is primarily performed by using the browser to pop open a new JavaScript window from an existing browser window, because the browser window includes more security controls. Given the precept that unsigned scripts are disallowed, creating an editable location line was difficult because a convincing forgery here depends on font size preferences or a static image.

Keith introduced the effort at Wisconsin to work to develop policy language snippets capable of performing cryptographic operations as the "jam on the sandwich between Prolog and Java cryptographic libraries." They have recently debated the level of detail a policy language should operate on: must everything be explicit down to strings to be encrypted with specific standards, or is there a higher concept that is sufficiently granular? The Wisconsin group has crafted several scenarios to begin answering these questions. More detailed operations such as giving permission to two of three objects are currently challenging the effort.

Eric has been fiddling with various implementations of S/MIME, attempting to make queries to standard X.500 directories to fetch appropriate public key certificates. Typical browsers and clients can already query the directory for generic name and similar information. Eric has initially found that these clients perform the query for PKCs fairly well, "but when it doesn't, it's very messy." It appears as though there is a very specific directory schema needed to make this functionality work. [AI] Eric will forward examples that have and haven't worked, and will attempt to document these efforts in a tech report at least.

The PKI Labs group is also interested in the language users will be presented; the business policy level is clearly most desirable, but connecting this to lower levels is challenging. A policy language is well understood for IPsec but is relatively low-level for most users. OASIS has developed many scenarios but aims at the basic level as well.

- PKI conference planning -

A large PKI conference hosted by NIST and Internet2 has been planned for February 20-21 in Gaithersburg, Maryland. There is a large confirmed program committee, which Steve was convinced to join on the call. Rich Guida of the Treasury Department has been asked to chair the conference but has not yet responded. The scope of the conference is intended to be fairly broad, addressing PKI, policy languages, SPKI, and other non-X.509 interests within the PKI realm. There are appropriate funds for facilities, meals, and invited speakers, and possibly travel monies for academic participants.

The group discussed the advantages and drawbacks of different publication and solicitation methods to increase the impact of the conference, a primary concern of NIST. The traditional mechanism is to submit a paper to one conference at a time and later publish it, significantly revised, to a journal in sequential fashion. A call for papers was decided upon as the proper mechanism, with panel-proposals permissible for participants from industry. If there is a previously published paper appropriate for the conference, it will be made an invited talk; works in progress will be discussed as well. [AI] Ken projected issuing a call for submissions on September 1 with responses due on November 1, but, given the tight time frame for the conference, he will try to issue this solicitation sooner. The group also deemed it legitimate and appropriate to warn specific researchers ahead of time to energize people and get appropriate workers. There is a vast amount of similar work occurring overseas, making it crucial to ensure that this call reaches analogous European communities.

The group will at least set up a web site to record the proceedings. NIST would be happy to issue a special publication for the conference, since the group was unable to think of a journal that would be appropriate. [AI] Peter Honeyman of the University of Michigan will be asked whether he is aware of any existing publications interested in hosting these papers.

*Action Items*

[AI] Keith will bring in representatives from the PKI effort at the University of Texas for a Q&A session on a future call.
[AI] Eric will forward examples of directory schemas that have been successful or failed with S/MIME implementations' queries for PKCs, and will attempt to document these results in a tech report.
[AI] As soon as he is able, Ken will issue a call for submissions for the PKI conference on February 20-21.
[AI] Peter Honeyman of the University of Michigan will be asked whether he is aware of any existing publications interested in publishing the proceedings of the PKI conference.