Steve Olshansky, Internet2
Art Vandenberg, GSU
Dennis Baron, MIT
Tyler Johnson, UNC
Ken Klingenstein, Internet2
Jeanette Fielden, Internet2
Nadim El-Khoury, UNC
Ted Hanss, Internet2
Jill Gemmill, UAB
Tom Barton, U. Chicago
Note: The term H.350 is technically more correct than the term commObject.
Ken talked about the plans to develop a more generalized credential converter. The goal is for the converter to take credentials in three or four different formats and then produce certificates that match that configuration information. One difficult issue is where do those certificates need to be placed so video clients be able to utilize them? KX.509 today places the certificates in opportunistic spots depending on the application; there is no generalized location. H.350 has a place to include certificates in its attribute classes. A tool to could be developed to drop a certificate into that spot. It will cover Kerberos, LDAP and a permanent cert coming in of the wrong format that needs to be converted to a temporary certificate of the right format. What we learned in KX.509 is that the hard part is not producing the certificate but getting into a place where the client application can use it. H.350 contains a storage location for digital certificates. For H.323 this location is an attribute in H.350.2 (H.235 subclass of H.350), and for SIP this location is an attribute in H.350.4 (SIPIdentity). Since this is part of the ITU standard developers and vendors may accept it as a standardized storage location. Funding for the converter will start in August.
Jill explained that currently, there are no H.323 clients that use any H.323 security based certificates. Developers are interested in doing it but there is no code in place we can use. On the control side it is UDP from the software on the user end to a gatekeeper and then TCP after that. The whole security channel on how to transition from UDP to TCP for security over the control channel isn't well understood. Currently authorization is a simple model. People check in with the ISP and are then authorized for whatever the ISP allows. There is a partnership through Siemens that has developed the only known model for using certificates. There has been no success yet in contacting them about the project.
A group wanting to move forward on certificates approached Tyler at the Study Group16 meeting. There is interest in using certificates for authentication from the protocol perspective. In order to effectively use the certificates you need to have some sort of certificate management infrastructure. Developers are not seeing that clients have certificate management infrastructure, so they aren't creating certificate-based authentication. There is already a H.350 enabled password user ID based authentication client. With extra funding a certificate-based version as a proof-of-concept can be created.
It will be a long-term push to get universities to adopt H.350. It makes sense to fold the credential piece into that since it's a big infrastructure piece. In video and VoIP there is already a lot of directory look-up that H.350 just standardizes. If there is software that will take existing Kerberos, LDAP, UNIX, etc. identities and covert them into a certificate and stick it into H.350 it could help create a market to use this stuff, especially if it's deployed in a concerted effort to schools. Particularly if it will work for both SIP and H.323 in a standards based way. If there were goals in terms of number of schools implementing this or trying to incent vendors to provide an environment in which to deploy it there might be a role within the Internet Commons as well.
Consent was obtained on all of the documents proposed as standards. Includes the base commObject, and H.350, which includes H.323, the certificate and userid password storage attribute, and H.235. The directory part will support H.323 security Annex B, Annex E, and Annex F. It also supports H.320 so you can store an ISDN conferencing number in the directory. SIP, and non-standard protocols are supported as well. MPEG-2 video conferencing, Access Grid Video conferencing and all other experimental conferencing stuff are all non-standardized and will have a way to be represented in the directory. It will be finalized as an international standard in July after a member comment period during which no objections are expected. Tyler is working with Internet2 on a press release for that time frame. The ITU is also interested in press release, which we want to co-ordinate with. ViDe.net software will also be updated so that it will support the modified schema by that time.
Does Internet2 want to join ITU and vice versa? Is there other work in Internet2 that we would like to move into the standards space? Is there any benefit to ITU joining Internet2 as an international partner? Is there any kind of trade that could be done to manage membership costs? Because Internet2 is not an ITU member, exceptions and sponsors had to be found for everything done in the ITU. Anything proposed had to be approved through the sponsoring member. Access had to be specially approved through the State Department in D.C. It's not a viable long-term approach. Internet2 could potentially join as a full member and choose people to be legitimate representatives. They would attend as Internet2 staff, or representatives but not to represent their university. This would allow Internet2 to participate in a number of relevant working groups. An associate membership would only enable participation in one working group. It would also enable access by the working groups, Internet2 member academic institutions, faculty and graduate students, to ITU documents for research, teaching, and study. A measurement needs to be done of how many potential things we have that could move into the standards space. Another question to examine is: how big of a benefit would it be to the members in terms of access to the documents?
Tom indicated that some of the work in the Mace-dir group may come to bear on the x500 family of standards and ITU membership would be of benefit to that.
Ted will raise the issue within Internet2 about possibly joining the ITU. He will also get more information about the associate membership category of Internet2 that's being worked on.
There are H.350 documents on the VidMid site. Is there any problem with them being available there? Are they the latest version? Tyler will investigate.
For the past year VidMid VC has been in development mode. We're moving into a place where we're starting to have some tools. Focusing on deployment issues is one future area that would be good for VidMid-VC. The fall member meeting would be a good time to address this programmatically, as well as recruiting the essential contacts to attend. June 16th is the proposal deadline. Even just bullet points would be fine to start. The call for demos will go out today, or tomorrow.
The next call will be Monday June 16, 2001.
[AI] Ted will raise the issue within Internet2 about possibly joining the ITU.
He will also get more information about the associate membership category of
Internet2 that's being worked on.
[AI] Tyler will investigate if H.350 documents on VidMid site are the latest and there are no issues with them being located there.
[AI] Steve will mail Tyler and Jill the MS Word document template for IETF RFC. They will verify that it's current.