PKI Labs Conference Call, August 19, 2003

*PKI Labs Conference Call*
August 19, 2003

*Attendees*

Neal McBurnett (convener) - Internet2

Olga Kornievskaia - Michigan
Peter Alterman - NIH
Carl Ellison - Intel
Bill Burr - NIST
Nelson Hastings - NIST
Jeff Schiller - MIT

Ben Chinowsky (scribe) - Internet2

*Discussion*

The minutes of the previous meeting were approved without changes.

The group discussed the wording of the announcement for next year's PKI research workshop (PKI04; http://middleware.internet2.edu/pki04/). Neal has incorporated the results of this discussion into the draft PKI04 announcement. There was general agreement that the priorities for PKI04 planning are: finalizing program committee membership, finding sponsors, getting the announcement and CFP out early, and working our contacts to ensure that we get good papers.

The group reviewed the OASIS PKI TC survey of obstacles to PKI deployment (http://www.oasis-open.org/committees/pki/pkiobstaclesjune2003surveyreport.pdf). Neal observed that the survey reveals no one big central obstacle, but several obstacles, each of which is seen as a big problem by 40-50% of respondents; which is worst depends on the specifics of the implementation. Jeff pointed out that one major obstacle to PKI deployment -- the fact that people find username/password authentication much easier than any of the alternatives -- is largely determined by what they are used to. If people learned using an access token as a basic part of computer literacy, as they currently learn to use passwords, access tokens would seem just as easy and natural as passwords. A universal interface would also help a lot; this has been key to the success of ATMs. Neal noted that user-interface issues are not mentioned at all in the OASIS report.

The European PKI Challenge has also recently released documents surveying problems and offering guidance for PKI deployment; see https://www.eema.org/pki-challenge/.

Carl noted that draft UPnP security specs are now available at http://www.upnp.org/draftspecs/; comments and criticisms are welcome. Carl was calling in from Crypto 2003 (http://www.iacr.org/conferences/crypto2003/) and reported that Matt Blaze had presented his controversial work applying cryptography to locksmithing; see http://www.crypto.com/masterkey.html.

Bill Burr has been working on a companion piece to the Draft E-Authentication Policy for Federal Agencies, originally published in the July 11 Federal Register (see http://www.estrategy.gov/eapolicydraft.cfm). Areas he's looking at include password entropy (see slides at http://csrc.nist.gov/pki/twg/y2003/presentations/twg-03-05.pdf), defining authentication levels for general (as vs. just Federal) use, the role of SPEKE and EKE, and authentication via questions to which (theoretically) only one person knows the answer. Bill noted that this work has sparked keen interest from all quarters. Bill expects the draft to be available for internal Government review in September, and to be posted on the NIST web site by November.

The next PKI Labs call will take place at 4:00 PM Eastern on September 16, per the new third-Tuesday schedule.