DRAFT Minutes of the 1 st TF-AACE meeting
June 2, 2002 TNC2002, LimerickAgenda
1. Opening and round table introduction
2. Agenda bashing
3. Actions from previous meetings
4. Discussion of TF-AACE activity, deliverable teams
and leaders
4.1. Teams, leaders and timetables
4.2. Questionnaire discussion (work item A.1)
5. Cooperation issues
5.1. NMI/Internet2 update
6. NREN and European projects updates
7. New developments
7.1. WS-Security specification and its applicability
for AA(A) - Yuri Demchenko
8. Next meeting
9. AOB
10. New and Open Actions
Appendix A. List of Attendees
1. Opening and round table introduction
21 delegate attended the meeting; many of preliminary registered people could not successfully reschedule their flights because of Air Lingus strike. A list of those attending is appended to these minutes.
Apologies were received from:
David Chadwick
Gietz, Peter
Gilmore, Brian
Lopez, Diego
Masa, Javier
Wolniewicz, Maja
Wolniewicz, Tomasz
In the absence of TF-AACE Chair Diego Lopez, meeting was chaired by Ton Verschuren.
2. Agenda bashing
Because of TF-AACE chair Diego Lopes could not make to the meeting, it was decided to have a telephone call to him to discuss the TF-AACE activities in general and the proposed draft Questionnaire distributed by Diego in advance to the meeting.
3. Actions from previous meetings
Status of open actions from previous meetings:
| ACTION | STATUS | ||
|---|---|---|---|
| 0-2-1 | Begin to aggregate PKI CP's and prepare a list of the differences between these documents. TERENA to form group of volunteers for this work. | Superceded by TF-AACE Deliverable A.3. | |
| 0-2-3 | YD | Yuri Demchenko agreed to send information on the IETF SACRED WG to the pki-coord email distribution list. | Done. |
| 0-2-5 | AL, DL | Antonio Lioy & Diego Lopez also agreed to investigate the use of CA bridges and report back to the group on their findings | Superceded by TF-AACE Deliverable C. |
| 0-3-1 | YD | Yuri Demchenko to update Internet2 related information at TERENA's PKI-COORD webpage. | Progressing. |
| 1-1 | Torbjörn Wiberg | Torbjörn to send information about the Swedish Government procurement on PKI/Certificates for citizens to the list. | Done. |
| 1-2 | Milan Sova | Milan to send the URL of the CP/CPS to the PKI-COORD mail list. | Ongoing |
| 1-3 | Ken Klingenstein | Ken to send pointer to the NMI Release 1.0 documents when available. | Done |
| 1-4 | Ken Klingenstein | Ken to send open information about meeting with Microsoft on their Passport system. | Superceded by events. |
Two of the actions 0-2-1 and 0-2-3 were considered to
be superceded by correspondently TF-AACE deliverables A.3 and C. Yuri
informed that he is constantly keeping TF-AACE (former PKI-COORD)
information pages updated and is going to update them with new
information on Internet2 NMI deliverables. Ken informed that he
received new information about Microsoft's intentions in deploying
their Passport system for inter-campus/inter-university
applications.
4. Discussion of TF-AACE activity, deliverable teams and leaders
4.1. Teams, leaders and timetables
Ton explained that TTC on its meeting of April 8, 2002 made some changes to proposed documents discussed at the last PKI-COORD meeting on March 13, 2002 and recommended to define the list of teams that will take over particular deliverables and work items.
Ton went through all deliverables and list of teams
previously discussed on the tf-aace mailing list. Some particular
changes were proposed:
|
Work item A.1. Prepare a questionnaire on PKI applications and requirements, to be distributed to NRENs and other communities relevant to the academic environment (essentially, Grids) |
Corrado Derenale agreed to contribute to preparation of the questionnaire together with Diego Lopez. |
|
Deliverable B. Define common requirements for inter-institutional authentication and authorization, providing a framework for harmonizing NREN initiatives |
Alan Robiette added to the team. |
|
Work item B.4. Run two workshops on inter-institutional authentication and authorisation |
Ton proposed to define a framework for inter-institutional authentication and authorization and discuss related issues at the first workshop in October-November attached to the next TF-AACE or GNOMIS meetings. |
|
Delivearble C. Investigate/compare use of hierarchical and bridge PKI/CA and make recommendation for European NRENs. |
Corrado informed that EuroPKI is interested in connecting to (experimental) Bridge CA, if it will be set up in Europe. |
Ingrid Melve commented that they are at GNOMIS looking at different aspects of AA including cookies, single-sing-on and Kerberos.
The possible date of the first TF-AACE workshop was discussed in relation other planned meetings: Internet2 Fall 2002 Member Meeting scheduled on 27-30 October in Los Angeles, CA, and GNOMIS. It was suggested that the most convenient arrangement would be to have the workshop in November (after the Internet2 Fall 2002 Member Meeting) next to GNOMIS which date still to be set up, optional possibility might be September but it will be less convenient for Internet2 people.
Action 1-1. Ingrid Melve and Leif Johansson to
come up with the GNOMIS meeting dates in November (or September) and
together with the TF-AACE secretariat to investigate the possibility
to hold adjacent TF-AACE workshop on inter-institutional
authentication and authorization (IAA).
4.2. Questionnaire discussion (work item A.1)
This agenda item was in a form of telephone conference with Diego Lopez.
Diego informed that the Questionnaire and request for comments had been posted to the tf-aace mailing list in advance to the meeting, some comments had been received. Diego explained that he intended to make the Questionnaire as much comprehensive as possible to cover all possible and important for NRENs PKI uses. The Questionnaire contains two parts Applications and Requirements. He expects that Questionnaire results obviously will be used by different parties/organizations and for different purposes.
When asked about the connection between old Action 0-2-1 to begin to aggregate PKI CP's and prepare a list of the differences between these documents, he commented that this action is actually superceded by the TF-AACE work item A.3 (Collect current practices and policies in active European academic PKIs and evaluate their interoperability). However the task of comparing CP/CPS is complicated and needs some automation. He referred to the work at Rotterdam University and suggested that we need to contact people there to find out whether it is possible to involve them or receive some help.
Action 1-2. Yuri Demchenko to contact people from the Fiducia Project at Rotterdam University and report to the TF-AACE.
5. Cooperation issues
5.1. NMI/Internet2 update
Ken Klingenstein, NMI principal investigator and director of the Internet2 Middleware Initiative, updated on NMI-R1 (NSF Middleware Initiative Release 1.0) released on May 7, 2002.
NMI-R1 integrates key software packages, standards, and best practices toward formation of a national middleware infrastructure for science, engineering and education. NMI-R1 represents the first bundling of such Grid software as the Globus Toolkit, CondorG and the Network Weather Service, along with security tools and best practices for enterprise computing such as eduPerson and Shibboleth. Downloads are free to the public (http://www.nsf-middleware.org/NMIR1/download.htm). NMI-R1 consists of deliverables from the two NMI project teams: GRIDS (http://www.grids-center.org) and EDIT (http://www.nmi-edit.org).
NMI Release 1.0 components include:
-
Software to support a wider variety of desktop-security, video, and enterprise uses (KX.509 and KCA, Certificate Profile Maker (CPM) 1.0, WEBISO Pubcookie).
-
Directory Object Classes to facilitate the federated model of directory-enabled interrealm authentication and authorization. NMI releases contain object classes - both newly defined and new releases of publicly available object classes in use by organizations: eduOrg 1.0, commObject, eduPerson 1.5, eduPerson 1.0.
-
Papers that include Conventions and Practices that capture the lessons learned from campuses which have implemented middleware, and White Papers that summarize current thinking about middleware issues involved in collaborative applications:
-
Practices: Practices in Directory Groups 1.0; LDAP Recipe 2.0; Metadirectory Practices for the Enterprise Directory in Higher Education.
-
White Papers: Shibboleth Architecture v5, - presents an architecture for the secure exchange of authorization information that can be used to decide who can access a protected web resource
-
Policies: Campus Certificate Policy for use at the Higher Education Bridge Certification Authority; Lightweight Campus Certificate Policy (PKI-campus) and PKI Practice Statement (PKI-Lite); Sample Campus Account Management Policy.
-
Complete information about the NMI-R1 is available at http://www.nmi-edit.org/development/index.html
Ken made some comments about the future NMI development and its relation to Grid. There is a concern among NMI people about software persistence in relation to further Grid (middleware) development. Previously planned White Paper "Plumbing campuses for Grid" did not happen because of Grid people are not much interested in cooperation and integration issues what reflects real difference in attitude to integration from scientific and research community (which is mostly dealing with single experiments although often distributed and cross-domain) and NMI/Universities community (which has a long experience in building persistent Internet infrastructure). However recently outlined GGF (Global Grid Forum) move to an Open Grid Services Architecture (OGSA) will increase needs for integration and (re-) use of common middleware components from NMI in OGSA/Grids. Ken also expressed his opinion that now it is not clear how is GGF standardization activity will go. It is quite successful in Grid Security Infrastructure (GSI) components and less successful in other areas of current Grid architecture.
Regarding Shibboleth, Ken listed stages of Shibboleth software release: alpha 1 - April 24, alpha 2 - June 12, Beta 1 (and CFP) - end of July, Beta 2 - end of August, and Release 1.0 - end of September 2002. Modules included into the current Shibboleth release: AA, HS, SHAR, SHIRE. Shibboleth is using SAML version 1.0. More information about Shibboleth Architecture can found at http://middleware.internet2.edu/shibboleth/.
Ken made remarks that they almost have finished logical development of eduPerson 1.5 and an issue is now for the TERENA community: if European community does not intend to have their own European eduPerson, it needs to be more involved into current and future eduPerson development.
Ken also drew attention of the meeting to other NMI
developments: Federated Organisations Organisation (FOO) and works on
directory groups (http://middleware.internet2.edu/dir/groups/).
6. NREN and European projects updates
SWITCH (Chirstoph Graf)
Christoph Graf updated on AAI (Authorisation, Authentication Infrastructure) project at SWITCH. He explained AAI concept and generic AAI design. The project targets problems wider than just web resources access. The basic AAI concept: Authentication is local to a home organisation, and Authorisation is local for a resource owner. The project preparation stage was resulted in developing an AAI Architecture and project plan for the "AAI Pilot Phase".
Note. At the moment of writing these minutes the AAI Report on AAI preparation study has been published (http://www.switch.ch/aai/AAI_Study_v10.pdf). The report summarizes the findings and recommendations of four inter-university working groups established in late 2001 according to the AAI-Concept.
SURFnet (Ton Verschuren)
Ton informed that they at SURFnet have operational RootCA with 9 organisations in their PKI. PKI is used for SSL server signing, Java applets signing and end user Certificates. Talking about levels of assurance, Ton explained that initially they intended to use Qualified Certificates recommended by European Union but found them very complicated. Now they use medium level of assurance and have an intention to use PKI-Lite in the future as well.
Trial with smartcards/tokens on four sites showed that this technology is very hard to use. In AA they focus on RADIUS for such uses as ADSL authentication, licensed software access, creating virtual organisations. Ton explained how their RADUIS infrastructure and overall AA architecture work. In cross-domain authorisation they use WebISO Pubcookie and PAPI and are looking at Shibboleth.
Addressing audience Ton explained what they expect from the TF-AACE: "rough consensus and running code", and the possibility to discuss (cross-European) interoperability issues at (two) planned workshops.
NORWAY (Ingrid Melve)
Ingrid Melve updated on project FEIDE focused on authorisation and authentication for universities using a single student ID card. Implementation is going as planned, they have 8 universities at the first stage. Software under GPL will be available soon. They implemented eduPerson 1.5 with some additions. Authentication server is using LDAP together with LIMS as a directory solution. Pilot stage will last till spring 2003 and will be focused on trusted webserver, without using ticket based system. They are going to look at RADIUS.
SWEDEN (Torbjörn Wiberg, Umeå Universitet)
The process of the PKI implementation for universities and University colleges in Sweden that started in 2001 is going quite slowly (http://www.umu.se/it/projupp/swupki/). Since the last meeting only one new member of PKI has joined, two more in a queue, totally scoring less then 10 members. They see next step in integration with Directories for authentication. Torbjorn reminded that he posted to the tf-aace mailing the pointer to the summary of the Government procurement on citizens' Certificate finished in December 2001 (http://www.umu.se/it/personal/tvw/pub/elident_sweden_020531.html).
FEIDE Project, Finland (Janne Kanner)
Janne Kanner informed that FEIDHE (HSTYA) has ended recently. The project was looking at implementation of the smartcard based PKI for Finnish universities. The project showed that: user management system in universities is not ready for deploying this kind of solutions; students are not ready to pay much for smartcards - if they have choice to use "soft" password or smartcard, they use password based authentication/logon. People in general agreed with such conclusion and remarked that even in cases where PKI can provide a solution, the administrative (user management) structure is appeared to be not ready.
DFN-PCA (Reimer Karlsen)
DFN CPA has 35 subordinate SSL CA's, normally they don't control their policies. In respect to current Digital Signature roll-out in Europe, Reimer told that DFN-PCA might be certified for Qualified Certificates.
University of Washington/Internet2 (Bob"RL" Morgan)
Bob "RL" Morgan provided short information about the PKI implementation and development in University of Washington. They try to distinguish between different technologies for Authorisation and Authentication and devote some efforts to get people to understand how the architecture works. He offered to send to the tf-aace list pointers to different Internet2/NMI documents on PKI and AA related information.
Action 1-3. Bob "RL" Morgan to send
to the tf-aace list pointers to different Internet2/NMI documents on
PKI and AA related information.
7. New developments
7.1. WS-Security specification and its applicability for AA(A) - Yuri Demchenko
Due to lack of time Yuri Demchenko limited his information to the meeting in one statement about the WS-Security specification - and proposed to send his presentation to the tf-aace list. WS-Security Architecture is based on SOAP based exchange by security tokens using proposed extensions to the SOAP message format, what will allow building end-to-end security solutions as alternative to currently used SSL/TLS based point-to-point solutions. Yuri also made a remark that currently WS-Security Architecture doesn't have means for interdomain applications, however both WS-Security initiators Microsoft and IBM committed themselves to solving this problem.
The presentation is available at
http://www.terena.nl/task-forces/tf-aace/docs/tf-aace-ws-security.ppt.
8. Next meeting
It was agreed that the next meeting will be held in October-November 2002. Exact date will be discussed on the list.
9. AOB
No AOB was discussed.
10. New and Open Actions
| ACTION | STATUS | ||
| 0-3-1 | YD | Yuri Demchenko to update Internet2 related information at TERENA's PKI-COORD webpage. | Progressing. |
| 0-1-2 | Milan Sova | Milan to send the URL of the CP/CPS to the PKI-COORD mail list. | Ongoing |
| 1-1 | Ingrid Melve and Leif Johansson | Ingrid Melve and Leif Johansson to come up with the GNOMIS meeting dates in November (or September) and together with the TF-AACE secretariat to investigate the possibility to hold adjacent TF-AACE workshop on inter-institutional authentication and authorization (IAA). | |
| 1-2 | YD | Yuri Demchenko to contact people from the Fiducia Project at Rotterdam University and report to the TF-AACE. | |
| 1-3 | Bob "RL" Morgan | Bob "RL" Morgan to send to the tf-aace list pointers to different Internet2/NMI documents on PKI and AA related information. | |
| 1 | Axelsson, Pål | Uppsala universitet |
| 2 | Demchenko, Yuri | TERENA |
| 3 | Derenale, Corrado | Politecnico di Torino |
| 4 | Dilek, Mustafa Hadi | ULAKBIM |
| 5 | Gettes, Michael | Georgetown University |
| 6 | Graf, Christoph | SWITCH |
| 7 | Hedberg, Roland | Catalogix |
| 8 | Jakobsen, Bård H.M. | University of Oslo |
| 9 | Jauk, August | ARNES |
| 10 | Kanner, Janne | CSC |
| 11 | Karlsen, Reimer | DFN-PCA |
| 12 | Klingenstein, Ken | Internet2 |
| 13 | Melve, Ingrid | Uninett |
| 14 | Morgan, RL "bob" | University of Washington/Internet2 |
| 15 | Oinonen, Juha | CSC/Funet |
| 16 | Penezic, Dubravko | SRCE/CARNET |
| 17 | Saragiotis, Panagiotis | GRNet |
| 18 | Sova, Milan | CESNET |
| 19 | Verschuren, Ton | SURFnet |
| 20 | Vietsch, Karel | TERENA |
| 21 | Wiberg, Torbjörn | Umeå Universitet |