PKI Labs Conference Call, November 18, 2003

*PKI Labs Conference Call*
November 18, 2003

*Attendees*

Neal McBurnett (convener) - Internet2
Carl Ellison - Microsoft
Lisa Hogeboom - Internet2
Ben Chinowsky (scribe) - Internet2

*Discussion*

Neal noted that Windows XP automatically and silently installs any Microsoft-trusted root certs as needed; see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news /rootcert.asp. Neal is concerned that this means that "all vanilla PKI software on XP implicitly trusts what Microsoft trusts", and wants to know how to turn this behavior off. On the other hand, Carl argued in favor of this approach: "I'd bet that the users they're talking to don't even know what certs are and don't want to be asked about it; I think that attitude is completely correct. If you tell people about certs, they're not going to make the right decisions anyway. That leaves us with the problem of how to make security work when the word 'certificate' is never used."

Carl has been getting involved with XrML, and is trying to get some of the XrML people at Microsoft to do a paper on it for the next PKI Research Workshop. Carl noted that while XrMLv1 was narrowly focused on specifying rights to Hollywood content, XrMLv2 is intended for all varieties of distributed authZ, and is shaping up to be even more expressive than SPKI/SDSI. XrML is used for Microsoft Rights Management Services, which is a mechanism for protecting your content when you send it out to others. XrML is an ISO standard, so anyone can create code using it; see http://www.xrml.org for references. [AI] Carl will present XrML in more detail on a future call, or bring a guest to do so.

Carl noted that at the recent Microsoft Professional Developers Conference he'd had an opportunity to defend the "credit-card model" for dealing with the possibility of private-key compromise. According to this model, nonrepudiation is bad; rather, the right to repudiate transactions, as with a credit card, must be guaranteed before PKI will see broad use. Carl noted that his comments provoked "uproar, but no good arguments against what I was saying." Carl doesn't know of any paper that develops the credit-card model in detail, but he's interested in finding a graduate student to write one.

Neal noted that the Grid proxy-cert I-D (draft-ietf-pkix-proxy-09.txt) is now in last call. [draft-ietf-pkix-proxy-10.txt was approved as a Proposed Standard on Jan. 8; see http://www.mail-archive.com/ietf-pkix@imc.org/msg00066.html.]

Finally, Neal stressed the importance of announcing topics for PKI Labs conference calls well in advance in order to get better turnout. [AI] All will send Neal suggested topics for discussion on PKI Labs conference calls.

*Action Items*

[AI] Carl will present XrML in more detail on a future call, or bring a guest to do so.
[AI] All will send Neal suggested topics for discussion on PKI Labs conference calls.