Wednesday 16 May 2001
Talya Hotel, Antalya, Turkey
Notes by John Dyer
21 June 2001
A Birds of a Feather (BoF) meeting to discuss the issues of Public Key Infrastructure (PKI) was held during the TERENA Networking Conference in Turkey on May 16th 2001. This was the second in a series of meetings of persons from the research networking community involved in PKI/CA initiatives; the first meeting having taken place in the TERENA offices in Amsterdam on 6 December 2000 (see http://www.terena.nl/tech/projects/pki/pki-coord001206notes.html). The main areas of discussion in the BoF were:
Hierarchical CA vs Bridge CA models
There was an inconclusive discussion on the use of hierarchal trees and CA bridges. The issue being that no-one yet has practical experience on which approach will work best. A project known as the Federal Bridge will start in June 2001 and in one year's time someone from US will be able to come back and report on the results. The Corporation for Research and Education Networking (CREN) has a hierarchical certificate authority for the US (see http://www.cren.net/ca/index.html), which is a parallel to the EuroPKI (see http://www.europki.org/). Since there are now examples of each approach being used in production services, in the fullness of time, TERENA should undertake a comparative study of the merits of each solution. The major area in which differences of opinion need to be resolved is that of scalability. Diego Lopez and Antonio Lioy expressed their view that there is no inherent incompatibility between the Bridge and Hierarchical models of running a CA infrastructure.
It was agreed that we should begin to aggregate PKI policies and prepare a list of the differences between the documents. There are currently documents available from SURFnet, EuroPKI, DFN, GRIDs and from US. It was reported that Randy Butler is leading a comparative activity for the grids community. The most recent CA policy document in the US is being written by Ken Klingenstein and this document is significantly different from earlier versions. Ken reported that they had been trying to follow the Federal model, but found it too hard. Ken went on to say that he would be participating in a conference call scheduled to take place in the next couple of weeks that may result in some revisions and agreed to send the revised document to the pki-coord email distribution list.
There was agreement that the main pressure for inter-boundary PKI infrastructure
in the academic and research community is coming from the GRID community.
In this context, there was a view that the GRID community are going to
use distributed local security domains using KX509 which allows Kerberos-authenticated
users to acquire a short-term X.509 certificate suitable for use with PKI-aware
applications. The reason for taking this approach being that some people
are of the opinion that a single central authority is not scaleable. In
further discussions it was not clear that there is a single view within
the GRID community and it is possible that some divergence may occur between
the model chosen by individual institutions and/or applications.
Round-up of Activities in Europe
Ton Verschuren of SURFnet, NL said that they have been updating their PKI cookbook and this could be made available to the pki-coord list when complete.
Diego Lopez of RedIRIS, Spain has been putting certificates in their LDAP directory. To retrieve a certificate the search process looks for the email element of the certificate and retrieves the certificate on that key. Experience so far shows that this works well. Apart from this practical activity, RedIRIS have submitted their CP to EuroPKI with the objective of becoming accredited under the EuroPKI hierarchy. The authorative version of the CP is in Spanish, but is being translated into English.
DFN, Germany has a new directory project where the support of a PKI
is one of the major issues. DFN are considering the possibility of storing
PGP and X.509 certificates in a common model, although as yet there is
no certainty that this can be achieved. Ton expressed his view that there
is no need to store PGP certificates in this way. SURFnet has a default
key server for the PGP (see http://pki.surfnet.nl/).
Sheffield Hallum University in the UK is exploring the issue of storing
certificates.
In the context of security of the certification systems, there was interest expressed at looking into the use of OpenCA and OpenSSL for building CA infrastructures. The OpenCA system makes the assumption that the CA is always online. EuroPKI assumes an offline model where the certificates are loaded onto the front end using an removable physical storage media. The essential element of the system being that the directory containing the live certificates is either connected to the network OR to the certificate generating system, but never to both simultaneously. Ken Klingenstein reported the US attempt to develop an offline model using an RS232 link between front and back end to effectively decouple the backend from the IP network making access for potential infiltrators very difficult.
Antonio explained the requirements to become a member of the EuroPKI. An applicant must agree to have their CPS written down and validated by EuroPKI but are not obliged to use the EuroPKI tools (which are freely available). As an alternative, member CAs can use commercial tools.
Antonio said that the NASTEC tools are being developed as part of the project TESI (Trusted European Security Infrastructure) and are to be widely deployed within the NASTEC project. More details will be made available at the TESI homepage: http://www.tesiconsortium.org/. TESI is a project aiming to develop and foster the adoption of a software security environment under European control.
It was agreed that there should be some work undertaken on mobility
related PKI issues. The Internet2 community have sent a list of a number
of areas that we want to be handled by the Securely Available Credentials
(Sacred) Working Group of the IETF. The document has been issued as an
RFC, but not much progress has been made. Ken Klingenstein said the Sacred
Working Group could use some help and people interested in this area should
volunteer. Yuri Demchenko agreed to send information on the Sacred WG to
the pki-coord email distribution list. See http://www.ietf.org/html.charters/sacred-charter.html
for more information regarding Sacred.
Potential PKI Activities for TERENA
David Williams & Brian Gilmore asked the meeting if anyone could identify activities that TERENA should undertake or if TERENA should work more closely with EuroPKI.
Ton Verschuren from SURFnet explained he thinks that there is an inherent issue of trust involved in PKI work. The PKI should reflect the real trust relationships that exist in the real world. There is a trust relationship between the NREN's and TERENA - That does exist in the real world and maybe EuroPKI should be associated with TERENA more closely to capitalise on this relationship that has been built over many years. Karel Vietsch explained that TERENA was already involved in brokering a web of trust through its work with IRTs and the Trusted Introducer.
A further suggestion that received some support from the attendees was the building of a European Education CA Bridge.
Ingrid Melve of UNINETT, Norway said that it is important to include
commercial servers in academic certification authorities. It is clear that
academic users need access to both academic and commercial information
sources and facilities. TERENA should take the initiative to publicise
this sort of issue.
Action 0-2-1. Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work.
Action 0-2-2. Ken Klingenstein agreed mail the new Internet2 CP to the pki-coord email distribution list.
Action 0-2-3. Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list.
Action 0-2-4. Antonio Lioy & Diego Lopez will send information regarding the NASTEC project and software to the pki-coord email distribution list.
Action 0-2-5. Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings
Action 0-2-6. The Americans agreed to report-back on the progress made with using the Federal bridge PKI model.
Action 0-2-7. TERENA to organise another PKI-COORD meeting in
October/ November time frame.