Internet2 PKI Labs Conference Call, June 4, 2001

*Internet2 PKI Labs Conference Call*
June 4, 2001

*Attendees*

Neal McBurnett (convener) - Avaya

Bob Brentrup - Dartmouth
Ed Feustel - Dartmouth
Sean Smith - Dartmouth

Keith Hazelton - Wisconsin
Eric Norman - Wisconsin

Carl Ellison - Intel
Renee Frost - Michigan/Internet2
Ellen Vaughan - Internet2
Olga Kornievskaia - Michigan
Bob Moskowitz - ICSA Labs/TruSecure
Cliff Neuman - ISI
Steve Bellovin - AT&T
Bob Morgan - Washington
Ken Klingenstein - Colorado/Internet2

Ben Chinowsky (scribe) - Internet2

*Discussion*

The meeting opened with suggestions for summer reading. For PKI Labs participants interested in pursuing collaboration under the NSF MWIR solicitation, Ed recommended the DARPA Dynamic Coalitions site, especially the presentations by Seamons, Shands, and Winsborough available from http://www.darpa.mil/ito/research/dc/meetings.html. For those interested in policy questions, Eric recommended "The Digital Dilemma", available in both paper and electronic versions at http://www4.nas.edu/cpsma/cstb.nsf/web/pub_digitaldilemma?OpenDocument.

After approving the minutes of the last two meetings, the group discussed the ongoing general pullback from PKI. Carl reported that in a recent meeting with a very large software company that's built a lot of cert stuff into its software, he learned that this company is now modifying much of its software to go back to using passwords. The reasons the company representatives gave for this were not only that people complain about the cert stuff, but also that a recent survey had found that the percentage of IT leaders planning to implement PKI has dropped to 15%. There was general agreement that PKI vendors are having a bad year; Keith noted that there is an increased focus on making money from PKI. Ed has been looking into the state of PKI projects in the universities; among those who were talking at the start of 2000 about implementing PKI, he found *no* updates this year. Ed's overall sense is that people have suspended their plans and are waiting to see what happens; he conjectured that a successful demonstration on a larger scale than MIT's will be necessary to "break the logjam". [AI] Keith will see what he can find out about the status of the U. of Texas PKI project. Eric and Ken explained that Texas chose VeriSign as its cert provider in order to deal with state law constraints; they are required conform to FIPS level 140-3, which couldn't be met by campus cert issuers. Ken noted that nothing seems to be happening in the PKIForum or ECCC either. Carl noted his corporate interlocutors' claim that PKI offers no more value than passwords; this provoked a discussion of the near-ubiquity of manual password synchronization -- very bad practice though it is -- as a stand-in for the single sign-on, or at least fewer sign-ons, that PKI could offer.

There are a few bright spots, though. Spyrus is bringing out an attribute cert project, and they want to work with the PKI Labs. [AI] Bob Moskowitz will send the list information on Federal work related to attribute certs. The recent FBCA demo was very impressive. Ed noted that XML and SOAP seem to be where the momentum is, and Bob Moskowitz noted that progress is being made on doing secure mail with XML.

Ken reported that Tim Polk and Peter Alterman are enthusiastic about the PKI Labs workshop; NIST will host the workshop, and the Labs will choose the dates. The workshop will concentrate on longer-term issues of relevance to a broad public-sector PKI, including non-X.509-based approaches. Several ideas were discussed in this connection:
- Sean pointed to PKI's "recurring pattern of big ideas not implemented", and Ed suggested that the workshop encourage presentations demonstrating big ideas working in a controlled environment.
- Carl outlined two approaches to PKI's name problem. Using SDSI and local names is the better-understood of the two. Carl noted that the real work here is in getting the key verified; this is a human process that cannot be delegated. The other approach is to model the identification process on the process that humans go through to establish identity, accumulating evidence that goes toward establishing identity without ever saying "it's established", and making use of an error-correcting protocol after the fact. In this approach, the key question is "what do I trust this person to do or be?" This second approach is less well understood; Carl is interested in doing research on it, but he needs a social-psychologist partner. The idea of having computers do certain things the way humans do them, or just having the humans keep doing them, seems to be in the air lately. Bob Morgan has been reading *The Social Life of Information* (http://www.slofi.com/); one of its major themes is the inescapable need for human interaction in addressing the problem of information overload. Ed noted that this year's New Security Paradigms Workshop (http://www.nspw.org/) will include a session on using existing business processes to specify roles for RBAC.
- The group agreed that the PKI Labs workshop should include a forum on attributes and authorization in competing approaches such as SPKI and SAML. Each camp will have 20 minutes or so to present its approach; this will be followed by an hour of moderated discussion.
- Ed said that he'd like to see a paper corresponding to Bob Blakley's recent presentation on authorization.

Ken noted that NIST is very interested in producing proceeedings of the event, and in having it be the first of a series. [AI] Cliff, Carl, Sean, Keith, and Ed will serve on the PKI Labs research conference program committee. [AI] Ken will ask Rich Guida, Jeff Schiller, Stefan Brands, Peter Alterman, and Tim Polk to serve on the program committee. [AI] Keith will ask Larry Landweber to serve on the program committee. [AI] Ken will schedule a conference call with both confirmed and prospective program committee members.

At Wisconsin, the signed-but-not-encrypted email pilot for the medical center is on track for August. Ken noted that he'd heard some vigorous objections to this approach at TERENA; Keith acknowledged that medical centers will need encrypted mail, but defended Wisconsin's plan to do just authentication first. [AI] Keith will have the grad student maintaining the Wisconsin PKI Lab web site notify Dartmouth when the site is updated. [AI] Keith will organize a joint Shibboleth/PKI Labs conference call to talk about overlap and cooperation between the two projects.

Sean gave an overview of work happening at Dartmouth; details are on the just-updated Dartmouth PKI Labs site. Among many other things, a steganography project is underway; Sean said it has "a small chance of succeeding wildly". Ed expressed interest in doing beta testing for the next version of CDSA. [AI] Carl will find out when the next version of CDSA is due to be released. [AI] Carl will try to track down the consultant who did the CDSA documentation.

Ken noted that HEPKI needs to decide how to lighten PKI for its PKI Lite project, and the group briefly discussed possible leads in this area. [AI] Carl will send the list a reference to Dwaine Clarke's work on authorization certs issued by web page owners. Ed noted that Clarke's work is much like John Bull's; Neal noted that he's still trying to get Stefan Brands to join a PKI Labs call. Neal also noted that Microsoft has been pushing Kerberos as a hot technology lately. Bob Moskowitz said that Spectrum is using Kerberos for 802.11 security; they claim that its speed gives it a great advantage over other technologies in dealing with the task of switching among wireless cells.

Finally, Carl reported that he had just installed a new WinME system and watched Internet Explorer check CRLs every time he went to a secure site, resulting in a 980 KB download each time. Neal characterized this as "a fascinating new opportunity for denial of service", and Ed characterized it as "really stupid". Steve tried the same thing and got no CRL checking; there was uncertainty about whether CRL checking is or is not default behavior for IE. Steve will investigate further; [AI] Steve will let the list know what he finds out about the default CRL-checking behavior of Internet Explorer.

The next PKI Labs conference call will take place on Monday, July 16, at 1400 EDT.

*Action Items*

[AI] Keith will see what he can find out about the status of the U. of Texas PKI project.
[AI] Bob Moskowitz will send the list information on Federal work related to attribute certs.
[AI] Cliff, Carl, Sean, Keith, and Ed will serve on the PKI Labs research conference program committee.
[AI] Ken will ask Rich Guida, Jeff Schiller, Stefan Brands, Peter Alterman, and Tim Polk to serve on the program committee.
[AI] Keith will ask Larry Landweber to serve on the program committee.
[AI] Ken will schedule a conference call with both confirmed and prospective program committee members.
[AI] Keith will have the grad student maintaining the Wisconsin PKI Lab web site notify Dartmouth when the site is updated.
[AI] Keith will organize a joint Shibboleth/PKI Labs conference call to talk about overlap and cooperation between the two projects.
[AI] Carl will find out when the next version of CDSA is due to be released.
[AI] Carl will try to track down the consultant who did the CDSA documentation.
[AI] Carl will send the list a reference to Dwaine Clarke's work on authorization certs issued by web page owners.
[AI] Steve will let the list know what he finds out about the default CRL-checking behavior of Internet Explorer.