DRAFT Minutes of the PKI-COORD meeting - 26 November, 2001, Amsterdam

PKI-COORD

DRAFT Minutes of the PKI-COORD meeting
Monday 26 November, 2001

TERENA Offices, Amsterdam, Netherlands

Agenda
1. Welcome and Apologies
2. Round table introduction
3. Agenda bashing
4. Actions from previous meetings
5. European NRENs projects overview
5.1. SURFnet PKI/CA - Update (Ton Verschuren)
5.2. RedIRIS - Update (Diego Lopez)
5.3. Authentication and Authorisation Infrastructure (AAI) at SWITCH (Christoph Graf)
5.4. GNOMIS - Scandinavian Directory/PKI coordination activity and Norwegian FEIDE Project (Amund Krane)
5.5. Finnish FEIDHE (HSTYA) project (Janne Kanner)
5.6. Authorisation infrastructure based on X.509 attribute certificates (David Chadwick)
6. European activity/projects Overview
6.1. EuroPKI Update: the evolution of the EuroPKI and the NASTEC project - Corrado Derenale
6.2. Determining equivalence between certificate policies for purposes of cross-certification - Jimmy C. Tseng
7. Cooperation and coordination with PKI related projects in Internet2: MACE/Shibboleth, GRID - Michael Gettes
8. Discussion about the PKI-COORD Coordination and Technical Agenda
8.1. Grid Security infrastructure (GSI): Overview and problems (Yuri Demchenko)
8.2. Using Certificates/PKI for inter-institutional Authentication and Authorisation in European NRENs
9. Follow-on activity, Action list, timelines, list of deliverables, interested parties
10. Next meeting
11. AOB
12. New and Open Actions
Appendix A. List of Attendees

Note. Meeting Programme and presentations are available at http://www.terena.nl/projects/pki/pki-coord011126agenda.html

1. Welcome and Apologies

Apologies were received from:

Jan Meijer (SURFnet)
Peter Gietz (DAASI International)

2 and 3. Round of Introductions and Agenda bashing

21 delegates attended the meeting from 12 countries. A list of those attending is appended to these minutes.

4. Actions from previous meetings

Status of open actions from previous meetings:

ACTION STATUS

0-1-1 all TERENA to establish a small group of NRENs representatives to draft a Statement about EuroPKI. On hold

0-2-1 Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work. Preparation work has been done, next step by NREN's experts

0-2-2 Ken Klingenstein agreed mail the new Internet2 CP to the pki-coord email distribution list. Done

0-2-3 Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list. Initial information was sent to the list, provide detailed information and update webpage

0-2-4 Antonio Lioy & Diego Lopez will send information regarding the NASTEC project and software to the pki-coord email distribution list. Open, partially covered in presentation by Corrado Derenale

0-2-5 Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings Open

0-2-6 The Americans agreed to report-back on the progress made with using the Federal bridge PKI model. Done and covered in Agenda item 6

0-2-7 TERENA to organise another PKI-COORD meeting in October/ November time frame. Done

It was decided to move discussion on Actions 0-1-1 and 0-2-1to the Agenda items 8 and 9.

5. European NRENs projects overview

5.1. SURFnet PKI/CA - Update (Ton Verschuren)

Ton briefed the meeting on recent developments of PKI at SURFnet. As an operational Service SURFnet CA has certified 8 organisations and 2 more are expected. They still have non-RFC2527 compliant CPS (which is now available also in English) deploying medium security LOA. As a promotional action the PKI team at SURFnet established Demo pages for obtaining worthless certificates and for SSL.

Ton described the main directions of innovation:

Integration of PKI and Directory (ldap-pki cookbook - http://ldap.gigacorp.nl/pkildap.html) including CA certs and CRLs
Updating CPS to comply with RFC2527 (for the SURFnet Office)
4 pilot projects implementing PKI smartcards/tokens

Ton described the architecture used for operating with multiple certs stored on the card with the SURFnet CA as a top-CA.

Ton also mentioned that the Dutch Government's PKI Initiative is underway.

There are some other developments which are not primary using PKI. In this connection he mentioned the use of mobile phone and banking card for remote user authentication via the web. He gave a demo during lunch.

5.2. RedIRIS - Update (Diego Lopez)

Diego's presentation covered two main developments at RedIRIS: IRIS PCA and PAPI. His complete presentation is at http://www.terena.nl/projects/pki/docs/pki-coord011126/pki-coord-2001-iris.ppt

IRIS-PCA provides PKI for Spanish Universities and research organisations. They expect four new organisations to be fully integrated into the infrastructure. Main obstacle in this process is that new organisations cause problems for already established PKI services. IRIS-PCA coordinates its activity with other Spanish initiatives, particularly with the Governmental service CERES. The CP document has been updated to version 3 and an English translation is now available and submitted to EuroPKI.

Diego told that their PKCS#11 Library created by the University of Murcia is available now under GPL. It's thoroughly tested in the operational environment for the access control, facility reservation, etc. by more than 15,000 users.

Diego also mentioned that PKI deployment in Spain is very student-oriented and becomes an area of competition between universities.

The current PAPI version 1.0.2 is used at RedIRIS for authentication and access control (http://www.rediris.es/app/papi/dist.en.html). The new version 1.1.0 is under test, it intends to solve problem with grouping similar PoAs and has better management of tokens. Currently the product is being tested in the PAPI Pilot mesh between universities, library, commercial information and content providers.

Diego also mentioned that PAPI is being tested by a few NRENs: SURFnet, NORDUNET, UKERNA.

The subsequent discussion was focused on some technical details of using PAPI for access control to web resources, the relation to other services and products and standard compliance. Diego explained that PAPI enables a webserver to send a special token to an application to allow access to the resources for the authenticated user. Although PAPI uses a pretty straightforward solution there is an intention to formalize the token format.

Diego was specifically asked about using smartcards in Spain for user authentication. He answered that Universities are using bankcards what guarantees high compatibility. A general observation was that using banking infrastructure may provide an easy solution in the future when bankcards will be mandated in the country and across Europe.

5.3. Authentication and Authorisation Infrastructure (AAI) at SWITCH (Christoph Graf)

Christoph Graf told about the AAI project at SWITCH (http://www.terena.nl/projects/pki/docs/pki-coord011126/pki-coord2-aai.ppt). The project targets two main services: Authentication and Authorisation. The main motivation for the project is an ongoing project on building "Swiss Virtual Campus (SVC)" infrastructure that addresses needs for student mobility (because of universities' specialization), distance inter-organisational learning, etc.

They are currently at the stage of deciding on Architecture and technologies to use. Main milestones until now have included the Initial AAI workshop in November 2000 that recognised the actual need for the AAI and the final AAI-TF report published in September 2001 (http://www.switch.ch/aai). The report received the blessing of the University Rectors Conference.

SWITCH AAI Roadmap spans from 2001 till 2005 when full implementation is expected. SVC is seen as an early adopter in the pilot stage starting mid 2002.

Christoph underlined that the main lesson of the current success of the project is in building good relations and cooperating with University administrations for the human oriented AA services.

5.4. GNOMIS - Scandinavian Directory/PKI coordination activity and Norwegian FEIDE Project (Amund Krane)

In the first part of his presentation Amund Krane briefed the meeting on the GNOMIS Symposium that took place in Hurdal on November 1-2, 2001. 40 representatives from universities and academic networks in Norway, Sweden and Finland met to discuss ongoing authentication and authorization projects in their countries and exchange information.

The main goal of the Symposium was to identify common problems for Nordic NRENs and particularly Universities, one of which is seen in supporting standard travel of researchers and students between countries, Universities and research sites. The Symposium plans to target both Universities and Ministries in their activity.

It was agreed at the Simposium that another meeting to present results and discuss further work will take place adjacent to the NORDUnet conference in April (April 15-17, 2002, Copenhagen). GNOMIS webpage - http://www.nordunet2.org/Projects/GNOMIS.htm

The second part of the presentation was devoted to the Norwegian FEIDE Project (http://www.uninett.no/prosjekt/feide/) on implementing a common electronic ID for staff and students which consists of three subprojects on Local user management, National authentication and authorisation, and PKI.

Amund explained the proposed architecture and its main components related to User management, Authentication/Authorisation service and PKI. Further project developments will focus on pilot implementation, writing specifications for the service, coordination with GNOMIS.

5.5. Finnish FEIDHE (HSTYA) project (Janne Kanner)

FEIDHE (HSTYA) is a collaborative project and its task is to produce recommendations and specifications for a smart card based public key infrastructure in Finnish higher education. First implementations and report are expected in 2002.

The FEIDHE project is focused on testing smart card support for applications like SSL, NetLogin, ssh, Kerberos. The FINEID (public smart card ID, issued to all Finns) as well as outsourced Certification Authorities are being tested for interoperability, usability and cost/benefit in a large scale test involving 750 users. Focus is on replacing username/password with public key encryption supported by smart cards.

The project includes 9 pilots which are working on testing and implementation and cover a wide range of topics. Dissemination is also an important activity in the project.

Janne presented some important issues from their experience in using an outsourced CA service for the particular case of using the FINEID card. There is no need for their own CA as the FINEID normally is to be issued only few times in life.

The question was asked how to deal with multiple IDs. The suggested solution was to map different IDs to the PKI certificate.

5.6. Authorisation infrastructure based on X.509 Attribute Certificates (David Chadwick)

David Chadwick presented the Privilege Management Infrastructure that is being developed in the framework of the EU funded project PERMIS (Privilege and Role Management Infrastructure Standards Validation). PERMIS is validating the use of Privilege Management Infrastructures (PMI) based on the X.509(2001) standard.

PERMIS PMI Components include:

Privilege Policy Schema/DTD that defines the meta rules that govern the creation of the Privilege Policy (Access Control Policy Rules);
Privilege Allocator that allows an administrator to create and sign Attribute Certificates, including a Policy AC (this is a signed version of the Privilege Policy), and store them in an LDAP directory;
The PERMIS PMI Implementation that grants or denies the Initiators' access to resources, based on the Privilege Policy and the ACs of the Initiator;
Other application specific components.

PERMIS X.509 PMI RBAC Policy is split in two parts:

Role assignment policy that specifies subject policy, role hierarchy policy, SOA policy (specifies who is trusted to issue ACs);
Target Access Policy that specifies target and action policies, and target access conditions, which are constructed from the known X.509 vocabulary.

David gave examples of policies description in XML format. He noted that own policy might be easily created using IBM's AlphaWorks tools and based on known XML DTD. He also displayed screenshots of PERMIS tools.

It was pointed out that similar research on Role Based Access Control is conducted by NIST http://csrc.nist.gov/rbac/. This URL was posted to the pki-coord mailing list and created lively discussions after the meeting on comparison of the two systems. Check the archive for the discussion http://hypermail.terena.nl/pki-coord-list/mail-archive/0162.html

6. European activity/projects Overview

6.1. EuroPKI Update: the evolution of the EuroPKI and the NASTEC project - Corrado Derenale

Corrado Derenale gave an update on recent EuroPKI developments. Currently EuroPKI membership consists of 4 international members (Italy, etc.) and 4 extra Italian organisations. They expect 3 more international members and more Italian members to join by the end of year 2001.

EuroPKI provides the following basic services:

certificate applicant authentication
certificate issuance
certificate revocation
certificate renewal
certificate publication
CRL issuance
CRL publication

Advanced services include OCSP (Online Certificate Status Protocol) Responder and TSA (Time Stamp Authority). These two new services have been deployed recently.

Corrado briefly described the OCSP Responder and Client characteristics and addressed OCSP software/implementations interoperability and security issues. He also described EuroPKI tools (RA client Server, SSL Telnet, SSLFTP) and "POLITO software" that runs the EuroPKI root and consists of two modules: frontend CAFÉ and backend CAMGR.

Summarising their experience Corrado pointed to existing/remaining problem in Join legacy PKI.

6.2. Determining equivalence between certificate policies for purposes of cross-certification - Jimmy C. Tseng

Before introducing their Fiducia Project funded by the UK Department of Trade and Industry (DTI) and UK Econonic and Social Research Council (ESCR), Jimmy gave a technical introduction on practical problems of PKI interoperation in different architectural models.

Jimmy explained some specific needs for cross-certification:

certification of one CA by another in order for a verifier to construct and verify certification paths across PKI domains;
construction of certification paths;
harmonise certificate policies.

He explained pros and cons of different PKI architectures: sub-ordinated hierarchies, cross-certified meshes, hybrid models and bridge CA. The benefits for Bridge CA are:

Pairwise with Bridge CA
Simple and logical, all non-local paths traverse bridge
Medium directory dependency
Scalable across organizations.

The Fiducia project is funded by the UK DTI and ESRC and focused on modeling contractual risks in interoperable public key infrastructures including modeling identity risk in electronic transactions, contractual obligations and liability in PKI. Analysis is based on comparison of CPS against a reference model, and the legal and semantic analysis of specific CPS under scrutiny. The project team has collected CPs and CPS from over a hundred CAs in 16 languages. In addition to the full text of the CPSs, the extended CA database includes information on location of CPs, CPSs, CRLs, OCSP responders, and certificate profiles. Jimmy explained that current procedure for documenting the CPS is a pretty straightforward and includes such steps as coding particular sections of the CPS(s) under analysis, to facilitate look up by project members and legal experts.

When asked whether the project approach has been tested in a real world, Jimmy told that the Fiducia project has the status of a research project and aims at providing a basis for CAs interested in cross-certifying with other CAs by means of assessing their compatibility and risks. The main goal of his participation in this meeting was to find more real world/practical exposure.

7. Cooperation and coordination with PKI related projects in Internet2: MACE/Shibboleth, GRID - Videoconference with Michael Gettes (USA).

First, Michael Gettes provided information about HEPKI (Higher Education PKI) project/activity in Internet2 which is focused on inter-institutional PKI deployment. To avoid legal complications HEPKI tries to find workable solutions with minimum policy behind them. He also mentioned that a new HE Certificate Policy is currently available.

The Pilot/Current implementation of the HE Bridge CA (HEBCA) provides cross-certification for a few HE schools (some of them are using Certificates signed by different commercial CAs) and is cross-certified with the Government BCA. If successful, HEBCA will be put on a higher level (or wide service/use). However, he gave his observation that PKI implementation at inter-institutional level does not go so well.

Next, he explained that inter-institutional PKI-based Authentication and Authorisation services deployed in the Shibboleth project provide a good basis/solution for inter-institutional PKI-based Authentication and Authorisation services.

Michael Gettes informed the meeting about the programme called the NSF Middleware Initiative (NMI) recently announced by NSF. NMI will create and deploy advanced network services that will make it easier for Internet users to access a wide range of resources available through high-performance networks. The effort will build on the successes of the Globus (GRID oriented) project and the MACE initiative in developing middleware tools, and will integrate emerging middleware components into a well-tested, comprehensive, commercial-quality, middleware distribution package that runs on multiple platforms. These middleware distributions will be disseminated to research labs and universities worldwide.

Two groups will receive the awards. A team formed by Internet2 will include EDUCAUSE and the Southeastern Universities Research Association (SURA). A second team that includes the University of Southern California School of Engineering's Information Sciences Institute (ISI), the University of Chicago, the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign, the University of California at San Diego (UCSD) and the University of Wisconsin at Madison, will establish the GRIDS (Grids Research Integration Deployment and Support) Center.

In view of the recent news and developments, it was advised to update the Internet2 related information at TERENA's PKI-COORD webpage.

Action 0-3-1. Yuri Demchenko to update Internet2 related information at TERENA's PKI-COORD webpage.

In the discussion that followed Michael answered a few questions about current PKI and Directory related projects and activities in Internet2.

A particular topic of common discussion was about key escrow, whether it is a CPS issue and whether it should be included into CPS. It was pointed out that key escrow should not be confused with private/public key backup. In this respect key escrow is a 3^rd party action and is seen as a fundamental problem in using encrypted mail (in US?).

Finally, Michael announced that the first Campus Architectural Middleware Planning (CAMP) meeting will be held in February in Tempe, AZ and will be focused on Architecture issues, Directories, PKI for campuses, questions related to GRID. Shibboleth will be also on the agenda. They expect around 200 US participants and also international representatives, particularly from Europe.

8. Discussion about the PKI-COORD Coordination and Technical Agenda

This part of the Agenda was specially devoted to a discussion of some specific topics for a possible PKI coordination activity for Europe. It also contained a special presentation on GSI (Grid Security Infrastructure) intended to provide initial information for the discussion.

8.1. Grid Security infrastructure (GSI): Overview and problems (Yuri Demchenko)

Yuri Demchenko explained the background of this presentation. The initial information and idea came from his participation in the DataGRID WP7 Security meeting on November 9 at SARA, Amsterdam chaired by Dave Kelsey from Rutherford Appleton Laboratory, UK. Although invited, nobody from that group could make it to this meeting, however interest in establishing contacts was clearly expressed.

The presentation is available at http://www.terena.nl/tech/projects/pki/docs/pki-coord011126/pki-coord011126-gsi00.ppt.

Main issues presented:

difference in security issues between traditional systems which are user/host centered and GRIDs which are defined as data-centered;
Security services in GRID computing (authentication, authorisation, integrity and confidentiality, assurance, accounting, audit) and their specifics;
GSI overview and problems.

Yuri provided a list of current GSI documents (that have status of GGF Draft documents) for further reference and gave an overview of some of them that might be of interest for PKI community:

Online Credential Retrieval (OCR)
Internet X.509 Public Key Infrastructure Proxy Certificate Profile
Internet X.509 PKI Restricted Delegation Certificate Profile
Internet X.509 PKI Impersonation Certificate Profile

Yuri also mentioned that DataGRID is planning to pay more attention to Security issues, and, first of all, to collect Security requirements from different work packages. This should provide better coordination and a basis for producing common requirements and Security policy.

Yuri gave as his observation that the GRID community will benefit from contacts with the professional PKI community that already has extensive experience in PKI deployment and operational services.

The issue of coordination between PKI related activities and GRID oriented projects was extensively discussed. The common conclusion was that coordination is beneficial and benefits may be mutual: the professional PKI community will bring its expertise to application oriented GRID projects and in return it may find a real "killer" application for the PKI. It was advised that TERENA Secretariat should try to get in touch with GRID people and investigate their interest in establishing contacts.

Yuri told that TERENA has the intention to organize the next meetings of TF-LSD (as Directories related activity) and PKI-COORD on subsequent days which might also be combined with a meeting to discuss GRID related issues. The idea in general was supported by the meeting. It was agreed that at least GRID people working on Security issues should be invited to the next PKI-COORD meeting.

Michael Gettes told that issue of coordination with GRID related projects in the US is on the agenda of the Internet2 Middleware Initiative and will be discussed at the next CAMP meeting in February 2002.

Action 0-3-2. TERENA Secretariat to invite GRID people working with Security issues to the next PKI-COORD meeting and investigate interest in holding special meeting to discuss possible GRID coordination activity/issues.

8.2. Using Certificates/PKI for inter-institutional Authentication and Authorisation in European NRENs

The discussion on this topic was led by Christoph Graf. He started with asking the question what approach in deploying AAI services is seen as more effective: bottom-up (starting from implementation services) or top-down (starting from requirements and the managerial level). He mentioned that in his presentation on AAI project at SWITCH he gave an example of the top-down approach.

Ton told that SURFnet explores both approaches providing basic technical solutions and at the same time raising awareness and convincing managers.

Diego informed that actually PAPI started from a University request to RedIRIS which provided initial conditions for managerial acceptance of the designed solution. Their current work is to make PAPI PKI aware to add PKI based Authentication service.

Next question was whether we need inter-university authorisation, particularly for the situation that most resources are located outside the home university. This question was answered by stating, that normally a university staff or students want to have the possibility to access services and information in other universities and use personal credentials from the home university. Michael Gettes added that inter-institutional authorisation is a main issue in Shibboleth which gives a good example/solution.

Torbjorn Wiberg from SUNET summarized that Authentication should be provided by the home organization (and may reside at national level) and Authorisation should be provided at inter-organisational level (and consequently extend internationally).

Michael Gettes asked how the problem of establishing personal identity (which is not an electronic procedure) is being solved in different countries and whether an identity from one country is accepted in another country. Ton explained that in Netherlands they use student cards which are issued to all students. Corrado told that the current EuroPKI procedure is based on photo ID, i.e. passport.

9. Follow-on activity, Action list, timelines, list of deliverables, interested parties

This part of the meeting was devoted to a discussion of possible next actions and follow-on activities.

It was agreed that in order to build a workable solution/infrastructure we need first to collect requirements from different communities (and particularly from the GRID community).

Action 0-3-3. PKI-COORD to collect requirements from different communities and define common requirements for the European wide PKI.

Action 0-3-4. TERENA Secretariat and volunteers (Diego, Christoph, Ton) to prepare Questionnaire to collect these requirements.

Brian Gilmore made the important remark that the fact that in some countries other (or different) agencies are issuing certificates to all citizens (e.g., on personal ID cards) doesn't mean that we (the academic community) should not think about issuing the own certificates because of privacy issues concerned with publishing personal information on the card.

People also pointed to one remaining issue in using Directories for storing PKI related documents, e.g. CRL, that is the need for a Directory Policy. However, David Chadwick commented that you don't need a Directory Policy because of you trust signature, and you can therefore calculate the trust based on CRL.

The meeting agreed on some issues to justify establishing a formal PKI coordination activity in the framework of TERENA Technical Programme:

1) coordination with Internet2 HEPKI Initiative which is a strong interest from Internet2/US;
2) Inter-institutional Authorisation (and Authentication) which is seen as "killer" application for PKI needs in international cooperation;
3) all will benefit from information exchange and coordination;
4) there is a need to establish a formal framework to perform actions from the current and previous meetings.

10. Next meeting

It was agreed that the next meeting will be held on adjacent days with the TF-LSD meeting with intention to invite also GRID Security related people.

The date suggested for two or more related meetings is March 4 and 5, 2002.

11. AOB

No AOB was discussed.

12. New and Open Actions

ACTION STATUS

0-1-1 all TERENA to establish a small group of NRENs representatives to draft a Statement about EuroPKI. On hold

0-2-1 Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work. Preparation work has been done, next step by NREN's experts

0-2-2 Ken Klingenstein agreed mail the new Internet2 CP to the pki-coord email distribution list. Done

0-2-3 YD Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list. Initial information was sent to the list, provide detailed information and update webpage

0-2-4 AL, DL Antonio Lioy & Diego Lopez will send information regarding the NASTEC project and software to the pki-coord email distribution list. Open, partially covered in presentation by Corrado Derenale

0-2-5 AL, DL Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings Open

0-2-6 The Americans agreed to report-back on the progress made with using the Federal bridge PKI model. Done and covered in Agenda item 6

0-2-7 TERENA to organise another PKI-COORD meeting in October/ November time frame. Done

0-3-1 YD Yuri Demchenko to update Internet2 related information at TERENA's PKI-COORD webpage.

0-3-2 TERENA TERENA Secretariat to invite GRID people working with Security issues to the next PKI-COORD meeting and investigate interest in holding special meeting to discuss possible GRID coordination activity/issues.

0-3-3 PKI-COORD to collect requirements from different communities and define common requirement for the European wide PKI.

0-3-4 TERENA,
CG, TV, DL TERENA Secretariat and volunteers (Diego, Christoph, Ton) to prepare Questionnaire to collect these requirements

Appendix A. List of Attendees

1
Christoph Graf SWITCH

2
Ton Verschuren SURFnet

3
Panagiotis Saragiotis GRNET

4
Konstantin Chuguev DANTE

5
Diego R. Lopez RedIRIS

6
Brian Gilmore Univ. of Edinburgh

7
David Chadwick Univ. of Salford

8
Corrado Derenale EuroPKI

9
Torbjorn Wiberg SUNET, Sweden

10
Amund Krane GNOMIS/Uninett

11
Henry O'Keeffe UCC/Heanet

12
Janne Kanner CSC, Finland

13
Alan Robiette JISC, UK

14
Giles Massen RESTENA, Luxembourg

15
Jimmy Tseng Erasmus University Rotterdam

16
Milan Sova CESNET

17
Andres Steijaert SURFnet

18
Francisco Monserrat RedIRIS

19
Valentino Cavalli TERENA

20
Licia Florio TERENA

21
Yuri Demchenko TERENA

TERENA Technical Contact: Yuri Demchenko <demchenko@terena.nl>.

ACTION			STATUS
0-1-1	all	TERENA to establish a small group of NRENs representatives to draft a Statement about EuroPKI.	On hold
0-2-1		Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work.	Preparation work has been done, next step by NREN's experts
0-2-2		Ken Klingenstein agreed mail the new Internet2 CP to the pki-coord email distribution list.	Done
0-2-3		Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list.	Initial information was sent to the list, provide detailed information and update webpage
0-2-4		Antonio Lioy & Diego Lopez will send information regarding the NASTEC project and software to the pki-coord email distribution list.	Open, partially covered in presentation by Corrado Derenale
0-2-5		Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings	Open
0-2-6		The Americans agreed to report-back on the progress made with using the Federal bridge PKI model.	Done and covered in Agenda item 6
0-2-7		TERENA to organise another PKI-COORD meeting in October/ November time frame.	Done

ACTION			STATUS
0-1-1	all	TERENA to establish a small group of NRENs representatives to draft a Statement about EuroPKI.	On hold
0-2-1		Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work.	Preparation work has been done, next step by NREN's experts
0-2-2		Ken Klingenstein agreed mail the new Internet2 CP to the pki-coord email distribution list.	Done
0-2-3	YD	Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list.	Initial information was sent to the list, provide detailed information and update webpage
0-2-4	AL, DL	Antonio Lioy & Diego Lopez will send information regarding the NASTEC project and software to the pki-coord email distribution list.	Open, partially covered in presentation by Corrado Derenale
0-2-5	AL, DL	Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings	Open
0-2-6		The Americans agreed to report-back on the progress made with using the Federal bridge PKI model.	Done and covered in Agenda item 6
0-2-7		TERENA to organise another PKI-COORD meeting in October/ November time frame.	Done
0-3-1	YD	Yuri Demchenko to update Internet2 related information at TERENA's PKI-COORD webpage.
0-3-2	TERENA	TERENA Secretariat to invite GRID people working with Security issues to the next PKI-COORD meeting and investigate interest in holding special meeting to discuss possible GRID coordination activity/issues.
0-3-3		PKI-COORD to collect requirements from different communities and define common requirement for the European wide PKI.
0-3-4	TERENA, CG, TV, DL	TERENA Secretariat and volunteers (Diego, Christoph, Ton) to prepare Questionnaire to collect these requirements

1	Christoph Graf	SWITCH
2	Ton Verschuren	SURFnet
3	Panagiotis Saragiotis	GRNET
4	Konstantin Chuguev	DANTE
5	Diego R. Lopez	RedIRIS
6	Brian Gilmore	Univ. of Edinburgh
7	David Chadwick	Univ. of Salford
8	Corrado Derenale	EuroPKI
9	Torbjorn Wiberg	SUNET, Sweden
10	Amund Krane	GNOMIS/Uninett
11	Henry O'Keeffe	UCC/Heanet
12	Janne Kanner	CSC, Finland
13	Alan Robiette	JISC, UK
14	Giles Massen	RESTENA, Luxembourg
15	Jimmy Tseng	Erasmus University Rotterdam
16	Milan Sova	CESNET
17	Andres Steijaert	SURFnet
18	Francisco Monserrat	RedIRIS
19	Valentino Cavalli	TERENA
20	Licia Florio	TERENA
21	Yuri Demchenko	TERENA