PKI Labs Conference Call, October 21, 2003

*PKI Labs Conference Call*
October 21, 2003

*Attendees*

Neal McBurnett (convener) - Internet2

Sean Smith - Dartmouth

Steve Hanna - OASIS PKI Technical Committee / Sun
Yasir Ali - Sun
Krishna Sankar - Cisco
Bob Morgan - Washington
Carl Ellison - Microsoft
Frank Siebenlist - Argonne
Lisa Hogeboom - Internet2

Ben Chinowsky (scribe) - Internet2

*Discussion*

The group approved the minutes of the previous meeting.

Steve Hanna gave an overview of the two surveys of PKI obstacles recently completed by the OASIS PKI Technical Committee (see http://www.oasis-open.org/committees/pki/pkiobstaclesjune2003surveyreport.pdf and http://www.oasis-open.org/committees/pki/pkiobstaclesaugust2003surveyreport.pdf) The PKI TC is the successor to the PKI Forum, but aims for a broader membership. The first of the surveys focused on identifying the most important applications for PKI; it received about 160 responses, almost all from people with hands-on experience with PKI. Most survey respondents were from North America and Europe. The second survey focused on identifying the most important obstacles to PKI deployment; it was sent only to respondents to the first survey, of whom about 30% responded. Steve noted that these 30% seemed fairly representative of the original respondents.

The top three applications for PKI were:

1. Document signing
2. Secure email
3. Electronic commerce

The top five obstacles to PKI deployment were:

1. Software applications don't support it
2. Costs too high
3. PKI poorly understood
4. Too much focus on technology, not enough on need
5. Poor interoperability

Other applications and obstacles were identified, but those listed above were clearly most important to the respondents. [AI] Steve will send out the long list of problems with PKI that the surveys were designed to prioritize.

Neal observed that code signing is currently the only commonly-used variety of document signing, and noted that one problem is that there are often different procedures for signing different types of documents. It was noted that the OASIS Open Office XML Format Technical Committee (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=office) is standardizing an XML format that will enable XML signatures for office documents.

Steve stressed that the PKI Action Plan being developed from the surveys is aimed not at the PKI TC but at the PKI community as a whole; the TC will recruit individuals and groups to work on various pieces, and coordinate these efforts. Steve is confident that such participation will be forthcoming -- "customers who now need to spend millions to hack apps to get them to work with PKI have a business case for helping implement the action plan." [On October 27 the draft PKI Action Plan was released for public review; see http://www.oasis-open.org/committees/pki/pkiactionplan.pdf.] [AI] All will review the draft PKI Action Plan and send comments to Steve. [AI] Steve will recruit OASIS PKI TC participants for a panel or BoF on the PKI Action Plan at the 3rd Annual PKI R&D Workshop. Steve also stressed that there's strong interest in open-source PKI and in setting up a free PKI for testing; his own view is that "PKI should be built into everything, free, like TCP/IP."

Neal, Steve, and Peter Honeyman have started circulating the CFP for the 3rd Annual PKI R&D Workshop (PKI04; http://middleware.internet2.edu/pki04/.) [AI] Carl will send the PKI04 CFP to the SPKI and cryptography lists. [AI] Yasir will send the PKI04 CFP to the WSS, FKMS, XACML, SAML, and PKIX lists. [AI] Carl will send the PKI Labs list a query about paper-judging software, and look into what options are available.

Neal called the group's attention to the launch of PGP Universal (http://www.pgp.com/universal/). The underlying technology was presented by Jon Callas at PKI02 in his paper "Improving Message Security With a Self-Assembling PKI"; see http://middleware.internet2.edu/pki03/PKI03-proceedings.html. Bob Morgan observed that PGP Universal is just one example of a larger theme emerging in the peer-to-peer space: "just start to communicate, keys just happen, keep them for later use." Bob expects providing infrastructure support for such processes to be a major area of work over the next few years. Groove (http://www.groove.net/) and Chandler (http://www.osafoundation.org/) include such infrastructure; it would be useful to add something similar to gnutella (http://www.gnutella.com/), which underpins Penn State's LionShare (http://lionshare.its.psu.edu/).

Carl noted that he has left Intel for Microsoft, where he'll be working on access control. This work is primarily oriented to passwords and Kerberos, not PKI.

The group agreed to a slight change to the PKI Labs conference call schedule. Calls will still be on the third Tuesday of the month, but will start a half-hour earlier; thus the next call will begin at 3:30 PM Eastern time on November 18.

*Action Items*

[AI] Steve will send out the long list of problems with PKI that the surveys were designed to prioritize.
[AI] All will review the draft PKI Action Plan and send comments to Steve.
[AI] Steve will recruit OASIS PKI TC participants for a panel or BoF on the PKI Action Plan at the 3rd Annual PKI R&D Workshop.
[AI] Carl will send the PKI04 CFP to the SPKI and cryptography lists.
[AI] Yasir will send the PKI04 CFP to the WSS, FKMS, XACML, SAML, and PKIX lists.
[AI] Carl will send the PKI Labs list a query about paper-judging software, and look into what options are available.