VidMid VC Conference Call January 13, 2003

VidMid VC Conference Call Minutes January 13 2003

*Attendees*
Jason Lynn, UAB
Tyler Johnson, UNC
Eric Wilson, Sylantro
Samir Chatterjee, CGU
Aditya Srinivasan, UAB
Nadim El – Khoury, UNC
John Paul Robinson, UAB
Lisa Hogeboom, Internet2
Steve Olshansky, Internet2
Jonathon Tyman, Internet2
Ken Klingenstein, Internet2
Egon Verharen, SURFnet (chair)
Jeanette Fielden, Internet2

*Discussion*
Alan Blatecky is leaving the NSF as of April 1st. His replacement Kevin Thompson, comes from MCI, and starts February 1st. Ken will be meeting with him and George Strong, the CIO for NSF, in two weeks to discuss the design of NSF's internal middleware. The internal middleware needs to work for NSF applications, relationships to other agencies, and relationships to customers.

There is a new solicitation, due in early March, for the integrator and some individual awards. It looks while we will bid for the new round of solicitation. What will be included in bid, both for the integrator and individual awards has not yet determined. If someone is planning on submitting an individual component proposal it would be of benefit to confer beforehand with either of the integration teams so that letters of endorsement can be written.

Steve and Ken are meeting with David Chadwick of the U.K. to discuss his authorization scheme, Permis, and how it might be brought into the next release. Shib 1.0 is targeted to release in conjunction with the spring Internet2 member meeting. Use the middle of April as a target date for NMI-R3 but expect that the date may change. Software planned for the release will need to be submitted a couple of weeks prior to the release date.

Samir stated that the planned release for the SIP client is the end of January. There is a contract with Dynamic Soft for the user agent part. There are no user limitations, in terms of numbers of users, in the license so it can be included in the NMI-R3 release, which will make it widely available. They're working to improve the install shield program to make the install as smooth as possible.

Ken commented that it would be great to showcase the SIP client at the spring member meeting and show where it fits on a road map to our final target.
[AI] Steve will work with Samir to develop a time schedule and strategy for promoting the SIP client for the spring member meeting.

When will PKI arrive?
It's not clear that PKI is getting closer in a low security fashion that would enable widespread use. Ken talked about a report from the Federal PKI effort where they are trying to bridge federal PKI and e-authentication into a single trust fabric. A certificate policy was attached an e-authentication activity and then the certificate policy was mapped to the federal bridge, and into the rest of the certificate policies. The certificate policy that they are using to characterize e-authentication is very short, and patterned like the PKI-Lite policy. This suggests that e-authentication vs. formal PKI might be the way that video clients work assuming that video clients fit into the low assurance space vs. the high assurance space. If e-authentication is going to be used for authenticating video clients there will still be the issue of how to a credential that's more permanent than a password into the video client authentication piece.

Samir mentioned an article about TrustBuilder, a tool built at UIUC to negotiate trusts on the web between two unknown parties. It uses digital credentials and says that they can be implemented as x.509 version certificates or signed XML statements. The article is available at http://www.computer.org/internet/ic2002/w6030abs.htm. More info on the software can be found at http://isrl.cs.byu.edu/.

A semi-final draft is due by the end of January to ITU-T for the all the H.350 submissions. The work plan is to submit it to the raconteur meeting at the end of this month and have VidMid take a look after that. Internet2 will have between the end of January and April to comment on it. Due to bugs that need to be fixed in the software the install document is on the back burner at the moment, but will be part of the release. The target release date is the Internet2 spring member meeting.

The group then discussed Jill's query to list of whether or not a commObject needs an additional attribute, commOwnerDN. The problem is if you need to have a self-configuring client for video conferencing. If you have a self-configuring client that contacts the LDAP commObject server, retrieves each attribute, configures itself and contacts/authenticates with the gatekeeper or proxy, how is the information in the commObject directory protected?

In Northwestern's implementation the attributes were not changed, the value stored in the attribute was simply used in a different way. The schema was extended not changed. Since commOwner is a pointer to an LDAP URI you could have DN information in the attribute not just common name. Then you would not need a separate commOwnerDN. The examples in the definition of commObject don't use DN's they only use common names so perhaps it's more a matter of providing an example of how to do it with a DN in the LDAP URI. An example extending the definition of the attribute could be clear on how to do the backward chaining. The reverse chaining is nice since you can custom configure your commObject directory to be smart and not have to make changes to your enterprise directory. It works with any enterprise directory LDAP servers but only with some commObject directory servers. So you would have to selective in your choice of directory servers for your commObject data. The group recommended not adding the commOwnerDN attribute to commObject.

Jill also forwarded a question about Jon Peterson's SIP Invite SAML assertion model. Is there a message form of the crypto-token big enough to hold the same string? Can all that information be stored in attributes? No one was familiar enough with the model to offer an answer.

Is anything in H.323 is big enough to hold a SAML assertion? Using H.235 Annex E you can have a crypto token so instead of putting the actual certificate in there you can pass the URL to the certificate. Can you store it and pass the reference?
We would like to store things but Shibboleth doesn't allow these things to be stored. That's something that would have to be discussed with Shibboleth developers.
[AI] Steve will find Jon Peterson's presentation and forward the URL to the list.

Cisco Gatekeeper and LDAP backend authentication testing: This involves Cisco's own MCM gatekeeper and others that are based on it for VoIP. It's part of some IOS releases working on some routers. Tyler has access to a router that he believes can be used for this testing.
[AI] Tyler will document the router and see if it's appropriate for the Cisco Gatekeeper and LDAP backend authentication testing.

Egon will be stepping down as the chair of the VidMid VC group due to changes at SURFnet. Egon asked people to consider who might be a good replacement as chair by the Internet2 spring meeting. This might also be a good point to ask what is the next task for the VidMid group during what time frame.

Next meeting we can start planning for the spring member meeting since we can have another session there.

The next meeting will be January 27, 2003.

[AI] Samir will forward links on TrustBuilder to the list.
[AI] Steve will find track down Jon Peterson's presentation and SIP Invite Assertion Model.
[AI] Tyler will document the router and see if it's appropriate for the Cisco Gatekeeper and LDAP backend authentication testing.