PKI Labs Conference Call, September 16, 2003

*PKI Labs Conference Call*
September 16, 2003

*Attendees*

Neal McBurnett (convener) - Internet2

Sean Smith - Dartmouth

Krishna Sankar - Cisco
Olga Kornievskaia - Michigan
Frank Siebenlist - Argonne National Laboratory
Lisa Hogeboom - Internet2

Ben Chinowsky (scribe) - Internet2

*Discussion*

The minutes of the previous meeting were approved without changes.

Sean observed that several browsers, including Safari and Internet Explorer, have problems with client SSL certs on Mac OS X; this has become an issue at Dartmouth, where a substantial fraction of casual users use OS X. Neal noted that Mozilla appears not to share these problems. Shawn Geddis of Apple was on a recent HEPKI-TAG call (http://www.educause.edu/hepki/tag_minutes/2003-8-27.html); he says there's a lot that can be done to address these problems through the OS X CLI. [AI] Sean will follow up on OS X browser issues with Shawn Geddis, and let the group know the resolution.

Sean gave a brief Dartmouth update. Freshmen are arriving; all the Macs that students are getting have the dartmouth CA root preinstalled. With certs expiring every week, getting CRLs working has been a priority; after a month of debugging this has finally been accomplished. They've also gotten a few hundred requests for entirely new certs.

Frank gave an update on authZ in the Globus Toolkit. The current version uses XACML 1.1, which is geared to central web server access control and has no support for delegation. They want to go to XACML 2.0 in the next release of the Toolkit, using it to build delegation support into the runtimes of both clients and servers, supporting delegation with signed policy statements, and getting rid of proxy certs. The hope is that 90% of authZ checks can be handled by the Toolkit runtimes, taking most of the load off the applications. Frank is on the XACML technical committee and estimates that XACML 2.0 is about a year off. [AI] Frank will send the list documentation of his Globus authZ work. Frank is interested in presenting this work as a paper at PKI04, perhaps as part of a forum on how to do authZ right.

Frank also noted that there's been a renewal of interest in strong password authN, given the concern that policies won't allow long-term key storage on machines. Most password systems are "bolted on at the end"; Globus would like to identify a standard for strong password authN and build it into the Toolkit. There is also growing interest in finding a way to quantify the strength of various types of security assertions and "how they add up" for those that have to use them. [AI] Frank will send out some pointers on security-assertions measurement.

Krishna gave an overview of discussions at the recent Security at Line Speed Workshop (SALS; http://apps.internet2.edu/sals/). There was general agreement that security is lagging beyind other developments, and lots of discussion about what level authZ should take place on. The emphasis was on packet-level infrastructural discussion; there was not much discussion of PKI or of security at the application level. Krishna suggested that PKI04 include a discussion of the implications of the SALS results for security at higher layers. A white paper detailing results from SALS is to be presented at the Internet2 Fall Member Meeting.

Sean reported that there has been much lively Slashdot discussion of Bear (http://www.cs.dartmouth.edu/~sws/abstracts/msmw03.shtml). Unfortunately much of this discussion has consisted of comments along the lines of "TCPA is evil, so you are too", and responses to these comments. Not many people seem to be taking a close look at the code and making thoughtful criticisms, though Sean and other members of the Bear team have been responding to some of those who have. The group briefly discussed various problems with Bear, TCPA, and Palladium, centering on the need to prevent them from being used as "Big Brother". [AI] Sean will send the list his thoughts on how currently-available trusted platform modules could be used for attestation/outbound authentication. [See also http://www.cs.dartmouth.edu/~sws/abstracts/mswm03.shtml.]

Miscellaneous:
- Neal noted the controversy brewing over VeriSign putting wildcards in its DNS root server. [See http://www.internetnews.com/xSP/article.php/3080811 for more on this.]
- Neal recommended a paper by Clay Shirky called "A Group Is Its Own Worst Enemy". The paper discusses social software on the Internet, explains how face-to-face and Internet groups interact, and talks about the need for handles and reputations. See http://www.shirky.com/writings/group_enemy.html.

The next PKI Labs call will take place at 4:00 PM Eastern on Tuesday, October 21, per the regular third-Tuesday schedule.

*Action Items*

[AI] Sean will follow up on OS X browser issues with Shawn Geddis, and let the group know the resolution.
[AI] Frank will send the list documentation of his Globus authZ work.
[AI] Frank will send out some pointers on security-assertions measurement.
[AI] Sean will look further into current trusted-computing issues and send the list a summary of his thoughts.