Minutes of 3rd TF-LSD Meeting 11.30 - 17.15, Sunday 13 May 2001, Antalya Agenda 1. Opening, introduction and agenda bashing 2. Minutes of Last Meeting (Amsterdam, February 2,2001) 3. Status report on actions from last meeting 4. Nordunet2 Directory Project NEEDS 5. DANTE NameFlow Update 6. Round of NREN news update 7. TF-LSD deliverables: 7.1. Resume on the interoperability testing 7.2. The first Draft of the Privacy document 8. Directory related issues in PKI development 9. Directory related work in the Global Grid Forum - (PG) 10. Pilot Project proposals discussion 10.1. CIP-based Referral Server – Catalogix and REDIRIS 10.2. Definition of a European Education Person (DEEP) - DAASI International Ltd 10.3. Adding Certificate Retrieval to OpenLDAP - University of Salford 11. Other work items 12. Date of next meetings, AOB and Close 13. Summary of actions Appendix. List of the 3rd TF-LSD attendees on 13.May 2001 1. Opening, introduction and agenda bashing Meeting was attended by 24 people representing 17 organisations/networks from 12 countries. A list of the attendees can be found in the appendix to these minutes. 2. Minutes of Last Meeting (Amsterdam, February 2,2001) The minutes of the previous meeting held on 2 February 2001 were approved without one change proposed by Ton Verschuren. He pointed that one Action on SURFnet to translate into English SURFnet document on Privacy aspects in Directory Services was missing. 3. Status report on actions from last meeting Action No Action content Status Action 2-1 Teams to take up work on the On-going deliverables Action 2-2 Henny to contact Ericsson to find Done. out about possible time of testing Ericsson Directory server. Action 2-3 Peter to present the current status Done. of the deliverables at TNC 2001 Presentation included into TNC2001 Programme Action 2-4 Peter to present results of Ongoing Deliverable I. "Investigating the usability of services based on the new evolving directory related standards" at TNC2002. Action 2-5 Diego to publish definition of Ongoing iris-x skeleton in English. Action 2-6 Diego to discuss with Roland Done. possible extension of LIMS functionality. Pilot project proposal submitted to TERENA Action 2-7 Leif and others to inform TF-LSD On-going members about available LDAP/Directory promotional documents and presentations. Action 2-8 Peter to send comments on Internet2 David sent comments EduPerson definition to I2 EduPerson mailing list. Action 2-9 TF-LSD to consider further possible Done. activities related to development/harmonization of the DEEP pilot project proposal Internet2 EduPerson. submitted to TERENA. Main issues discussed with Internet2 people. Action Luuk/SURFnet to inform TF-LSD about Ongoing. 2-10 DC/X.521 Gateway development and experience. Action Discuss in TF-LSD mailing list Done. 2-11 about possible contribution to OpenLDAP development for benefits Discussed in mailing list. of European NRENs. Pilot project proposal on PKI extension to OpenLDAP submitted to TERENA. 4. Nordunet2 Directory Project NEEDS Stig Venas made short presentation about NEEDS Project (Nordic Enhanced Educational Directory Service) recently approved for funding by NORDUNET. Project home page - http://www.katalog.uninett.no/needs/. Project’s main objectives: * Develop and deploy a common Nordic index based directory infrastructure to facilitate searching for persons in the Nordic academic community * Provide information and documentation (guidelines) to interested persons in the Nordic academic communities The project will provide searching for persons and finding data associated with the persons, including cryptographic certificates. It is limited to white pages type information on people in the Nordic academic communities. Participants are UNINETT, FUNET, SUNET and Catalogix. Main tasks include: * Testing Indexing software (GIDS, LIMS, etc.) * TIO production, collection, distribution * Web interface to allow for searching with web browsers * Dissemination including producing Guidelines on extended list of technical issues Project also supposes coordination with national projects in the Nordic countries and other projects and activities like TF-LSD and Internet2. Most of project activities are going on in parallel; there is a special group working on TIO generation and distribution. People pointed out the importance to pay attention to internationalization issues. This is especially important when you use different OS. In this respect Windows 2000 and Windows XP has benefits comparing to Linux. It was advised that implementation should have internal mapping to Unicode, otherwise users may have problems. Another recommendation was to look at NEEDS deliverable and timetable and align it with TF-LSD deliverables and establish coordination with DAASI project. Action 3-1. Stig to publish Deliverables and dates to the tf-lsd mailing list. 5. DANTE NameFlow Update Konstantin Chuguev informed about recent development in DANTE NameFlow service. NameFlow webpage http://www.dante.net/nameflow/ has been updated and includes now links to Directory Servers and Gateways (X.500 Server, LDAP Server, WWW to X.500 Gateway, WWW to LDAP Gateway, LDIF Gateway), information and documentation, National Directory Services registration. Starting from November, NameFlow runs standalone LDAPv3 server based on OpenLDAP-2.0 at ldap://ldap.nameflow.net:389. The server contains mostly referrals to national LDAP services and is intended to be as one of the main NameFLOW services for the future (although they are going to keep X.500 server for another year or more). New server uses new developed patches for OpenLDAP allowing one-level and subtree search with base="". This means that anyone can get information about national LDAP servers via LDAPv3, rather than by reading LDIF file http://www.gateway.nameflow.net/ldif/root.ldif (introduced by DIRECT project). libNameFLOW library is described at http://www.dante.net/nameflow/software/libnameflow.html. Next development will include TIO interchange. The decision to be made is how to distribute TIO. GIDS is seen as considerable option and remaining problem is to decide what protocol should be used to communicate with GIDS – http, ftp or e-mail. Short discussion was about benefits of using php or python for building web interface for LDAP. Henny Bekker reminded that DANTE promised to distribute LDIF. Although a special page is available at NameFlow server at http://www.dante.net/nameflow/ldif.html (that produces DIRECT-compatible LDIF file from the new LDAPv3 standalone NameFLOW server), it was suggested that such link should be provided from the NameFlow frontpage. Ton also informed that Michael Stroeder and Janus Liebregts are going to use one of SURFnet servers to distribute pointers to LDIF. Action 3-2. Konstantin to place link to LDIF distribution page from NameFlow frontpage. 6. Round of NREN news update Round of new updates gave possibility for all present to inform about recent developments at their Networks. Some NRENs and Universities reported that they are at the beginning of LDAP and related PKI implementations. CEZNet, CARNet, PON (Polish Optical Network), University of Geneva are considering to move from current Directory services mostly based on X.500 or whois to LDAP base. There is no significant activity at NREN level in UK, it is expected that PKI deployment will push National Directory services. SURFnet is using LDAP for both accessing personal information about people and for building directory-based applications like PKI and AAA. Now they are experimenting with all kind of authentication devices, including SIM-card, mobile telephone, etc. To assist LDAP implementation by Universities, SURFnet prepared a PKI/LDAP integration Cookbook. Roland Hedberg from Catalogix informed about current LDAP related activities at IETF, he mentioned that long-existing LDEXT WG on LDAP extension will be closed soon to free space for another WG focused on more up-to-date problems like LDAP Schema. He also mentioned that former project at SWITCH (run by Thomas Lenggenhager) on providing all students with electronic ID that used LDAP for storing Certificates with all necessary information, can be treated as a proof of concept for building such applications on LDAP. Michael Gettes from Georgetown University project informed about Directory related activities in Internet2 Programme, all of which run under supervision and umbrella of MACE (Middleware Architecture Committee for Education). MACE-Dir includes projects: eduPerson directory schema (Keith Hazelton), the Directory of Directories for Higher Education (DoDHE), LDAP Recipe (Michael Gettes), VidMid (Ken Klingenstein), MACE-Shibboleth (Steven Carmody). MACE-Dir is chaired by Keith Hazelton. More information can found at http://middleware.internet2.edu/MACE/. DoDHE is investigating technology to support inter-institutional directory searching. This project is an application of the LDAP-Recipe and eduPerson objectclasses. It’s pilot implementation should serve around 6 millions entries of total 22 millions of students population in US. The key technical task is to allow unified search in University directories and others connected to them. It also should allow searching for communities of interests to find concrete people if they are present in DoD. David Chadwick informed about a project going on in his University on storing Certificates in LDAP. Project includes creating an operational model of running LDAP based service for big population. Current problems are seen in the scalability and performance when millions of entries are stored. Peter Gietz gave information about Directory related work at DFN. The newly founded company DAASI took over all Directory related activities of DFN, including the directory competence centre DDS and a research project on Authentication and PKI. In a diploma thesis coached by DAASI different directory software was tested. Performancewise Active Directory, Netscape Directory and OpenLDAP rated best. Tests included messaging, address lookup and authentication with a population of 20 thousand entries. Michael made remark that he knows about another test and will be interested to know more about the test. It was suggested that Peter will publish results in TF-LSD list after the termination od the thesis. Action 3-3. Peter to publish results of test of different LDAP server software. 7. TF-LSD deliverables: 7.1. Resume on the interoperability testing Roland informed meeting about results of Index servers testing. 2 TIOs were used in tests: one produced by GIDS and another one from DAASI. Problems discovered: 1) what kind of tokenization should be used? Initial suggestion was to use DNS type of tokenization, however later was decided to use semicolon ";" what caused interoperability problems. When the problem had been discovered during test, it was agreed to stay with DNS type tokenization. 2) another issue came up about what attributes should be included into TIO and requests? It was discovered that filters may loose context attribute like "country" when looking for/requesting sub-ordinate servers. It was decided to send last call to the list about tokenization and TIO attributes. Some additional information about TIO will be also beneficial, like used Schema. After resolving all problems Peter and Roland will write report and publish it via TF-LSD list and web site. Action 3-4. Send last call to TF-LSD mailing list about tokenization and TIO attributes. Action 3-5. Peter and Roland prepare report on testing LDAP Index Servers and publish via TF-LSD mailing list. 7.2. The first Draft of the Privacy document Peter Gietz reported about first results of the study about Privacy issues of public pan-European White Pages service (Deliverable C). Full presentation is available at http://www.terena.nl/task-forces/tf-lsd/docs/pg.tf-lsd-3-privacy.ppt He told that problem appeared to be more complicated than it was seen from the beginning. Privacy issues on the Internet include both legal issues and International issues. Available information includes: * European legislation: o EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data - http://www.privacy.org/pi/intl_orgs/ec/eudp.html o EU Directive 97/66/EC of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector - http://europa.eu.int/ISPO/infosoc/telecompolicy/en/9766en.pdf) * OECD recommendations concerning and Guidelines governing the protection of privacy and transborder flows of personal data (O.E.C.D. Document C(80)58(Final), October 1, 1980 - http://www.rewi.hu-berlin.de/Datenschutz/International/1980_oecd_privacy_guidelines.txt) * UN Guidelines concerning computerized personal Data files adopted by the General Assembly on 14 December 1990 (http://www.datenschutz-berlin.de/recht/int/uno/gl_pbden.htm). Their specific focus is on e-commerce and data servers rather than index servers. Many countries are preparing to enact privacy legislation, however there is no specific legislation for US companies. Only solution provided/recommended is a "safe harbor" (http://www.export.gov/safeharbor/). Peter made detailed overview of above mentioned documents and particularly EU documents, providing people with possibility to comment. Most of existing documents are quite old (last published document is EU Directive dated by 1997) and don’t reflect technical issues and practice of Internet commerce based of web interface/access. In practice companies define their Codes of conduct (via Privacy statement) to comply with more strict local and European rules. It was also mentioned that in US, if customer/visitor type his/her name into a web formular, it may be treated as I-signature (but not digital signature). Peter mentioned other valuable documents: * SURFnet: Privacy aspects of directory Services – Directory Services and the changes in privacy legislation – new boundaries for a new paradise * Arbeitskreis „Technische und organisatorische Datenschutzfragen": Datenschutzrechtliche Aspekte beim Einsatz von Verzeichnisdiensten [Privacy legislation aspects of using directory services], 26.10.2000 Summarising his first results Peter proposed list of organisational and Technical issues to be discussed in context of privacy of White pages. Proposed structure of Deliverable: 1. Discussion of EU-Regulation 2. Generic description of CIP index system 3. Privacy issues of the system 4. Organizational and technical solutions Peter listed number of questions to answer before proceeding further with this research/deliverable [text in brackets summarize the discussion] * Should we restrict ourselfes to EC-Direcive or interprete othe mentioned regulatory texts? [only EC-Directive] * How detailed should be the study? [Not too detailed] * How much should we link to (quote) current directives texts? [no long quotes] * Should a template privacy policy text be included? [yes] * Does it make sence to contact Working Party? [no conclusion] Peter confirmed his intention to make the first draft version out soon, but the matter is very difficult and more contributors are needed. SURFnet Privacy document seems to be the most appropriate for purpose of Pan-European White Page service and will be exploited . It was agreed that study of privacy issues must be made before starting pan-European deployment or White Page service. Action 3-6. Brian, Ton and others to look at Peter’s Draft document when available. 8. Directory related issues in PKI development David Chadwick provided update on recent development in using LDAP for storing and retrieving Certificates. Full presentation is available at http://www.terena.nl/task-forces/tf-lsd/docs/david.chadwick.PKILDAP.ppt Use of LDAP for storing PKI information is limited by some deficiencies in LDAP: * Can’t transfer certificates using LDAPv2 as they are converted into ASCII strings and back again wrecks the signature unless a fix is applied to send the certificate in binary. Unfortunately not all v2 clients and servers seem to understand whether the fix is applied or not * Can’t search for particular certificates as no matching rules are defined * Can’t select individual certificates if a user has several in their entry * Little support for distributed directories as LDAP was originally conceived as an access protocol only Currently pending few Internet-Drafts intend to solve problems with searching for Certificates and selecting individual Certificate, as well as problems related to working in distributed Directory environment (finding directory server and chaining requests). 9. Directory related work in the Global Grid Forum Peter Gietz presented his analysis on common interest and possibility of cooperation between Directory related activities in Global Grid Forum (GGF) and TF-LSD, thanks to his involvement in both activities. Most WGs in GGF use directories as base technology for distributed information. Two GGF WGs most related with TF-LSD work are: * Grid Information Service WG (GIS, http://www.unix.mcs.anl.gov/gridforum/gis/) focussed on Identify requirements for interoperable models and mechanisms for building distributed grid-based computing applications; * Security WG (http://www.gridforum.org/security/) which is focussed on two activities: Grid Security Infrastructure (GSI) at http://www.gridforum.org/security/gsi/ and Grid Certificate Policy Design http://www.gridcp.es.net/ GIS WG defines common framework and standard for representing people in distributed environment, their definition of GridPerson is based on InetOrgPerson. More information at http://www-unix.mcs.anl.gov/gridforum/gis/reports/people/people.pdf Summurising his insight into GGF activity, Peter suggested: Although GGF has different background and different target communities there are many areas of possible common activities, eg. defining LDAP Schema for different profiles of personal information, user based trust releationship and problems of trust delegation in distributed environment, etc. It was proposed that Peter makes regular update on related GGF activity to TF-LSD. Full presentation is available at http://www.terena.nl/task-forces/tf-lsd/docs/pg.tf-lsd-3-grid.ppt Action 3-7. Peter to provide regular update on related GGF activity. 10. Pilot Project proposals discussion The goal of this Agenda item was to discuss project proposal related to TF-LSD that had been submitted to TTC and receive initial evaluation by the TF-LSD/meeting. Authors made short presentation about their projects. 10.1. CIP-based Referral Server – Catalogix and REDIRIS Roland Hedberg presented this project proposal. It is available at http://www.terena.nl/task-forces/tf-lsd/projects/CIPreferralproposal.txt The objective of the project is to develop extension to LIMS that provides facility to build distributed index services around non-LDAP based directory servers and/or databases. This will allow integration of different locally maintained resources. Project came up from attempts at RedIRIS to use LIMS for building their distributed Directory service and needs to be integrated into related pan-European services. LIMS has been evaluated as the basis for the search facilities in European-wide White pages service based on LDAP. In fact, some national networks (like RedIRIS) are already using it, while some others (UNINETT, SUNET, FUNET and Switch) are planning to implement national-wide search services based on it. Results of the project may be useful outside the LDAP community to access/provide information not using LDAP as an access protocol. Majority of people agreed that project would bring benefits to TERENA community. Some of representative (e.g., CARNet, FUNET, UNINETT, SURFnet) told that they are going to use project’s results. 10.2. Definition of a European Education Person (DEEP) - DAASI International Ltd This project proposal has been submitted by DAASI and presented by Peter Gietz. It is available at http://www.terena.nl/task-forces/tf-lsd/projects/DEEP-Projekt-proposal.rtf Project objective: based on evaluation of existing object classes for personal information, promote one or more of the existing object classes, or if necessary define the new object class EducationalPerson that will be targeted for the European research community. Essential part of the project activity is an active cooperation with Internet2 EduPerson and GGF GridPerson WGs to represent the European perspective as well as to harmonize different approaches. Another deliverable includes development of exemplary prototype applications to provide a proof of concept. Discussion on the proposal covered issues of relation of this proposal to the Internet2 EduPerson and what are current differences between current version of Internet2/US EduPerson and prospective European EducationalPerson. David Chadwick expressed his concern that definition of European EducationalPerson may be premature if looking from the InetOrgPerson perspective, however he was opposed that proposed work will stimulate/simplify wide Directory based services deployment among Academic and Research community in Europe. Many representatives expressed their support of this proposal and some declared their intension to use it (UK, CEZnet, UNINETT, FUNET). Michael Gettes from Internet2 expressed his interest in this project and intension to cooperate. 10.3. Adding Certificate Retrieval to OpenLDAP - University of Salford This project proposal was presented by David Chadwick, full text is available at http://www.terena.nl/task-forces/tf-lsd/projects/OpenLDAP4PKIproposal.rtf Projects objectives include development of software modules: to implement the matched values LDAPv3 control in the OpenLDAP source code and in LDAP client, to implement (a subset of) the certificate matching rules in the OpenLDAP source code and in LDAP client. Project activity also includes proceeding with related Internet Drafts. Project timetable and tasks were tuned with Kurt Zeilenga, the Chief Architect of OpenLDAP. Karel Vietsch explained that because of large requested budget TERENA can fund only some part of the project and interested NRENs should put their own money into this project. NREN representatives present at the meeting demonstrated strong support for the project and interest in implementation of its results. When polled, few representatives (UNINETT/NEEDS, FUNET, POLnet and Internet2) told that they will be ready to make their contribution to project funding. 11. Other work items No other work items were discussed. 12. Date of next meetings, AOB and Close The next meeting should take place in next week after Autumn Internet2 meeting which will take place in early October 2001. 13. Summary of actions Outstanding actions Action 2-5. Diego to publish definition of iris-x skeleton in English. Action 2-7. Leif and others to inform TF-LSD members about available LDAP/Directory promotional documents and presentations. Action 2-10. Luuk/SURFnet to inform TF-LSD about DC/X.521 Gateway development and experience. New actions Action 3-1. Stig to publish Deliverables and dates to the tf-lsd mailing list. Action 3-2. Konstantin to place link to LDIF distribution page from NameFlow frontpage. Action 3-3. Peter to publish results of test of different LDAP server software. Action 3-4. Send last call to TF-LSD mailing list about tokenization and TIO attributes. Action 3-5. Peter and Roland prepare report on testing LDAP Index Servers and publish via TF-LSD mailing list. Action 3-6. Brian, Ton and others to look at Peter’s Draft document when available. Action 3-7. Peter to provide regular update on related GGF activity. Appendix. List of the 3rd TF-LSD attendees on 13.May 2001 number name organization 1 Peter Gietz DAASI International 2 Egon Verharen SURFnet (&TF-STREAM chair) 3 Sebastian Szuber PSNC, Poland 4 David Chadwick University of Salford 5 Andrei Sukov SSAU, Russia 6 Konstantin ChuguevDANTE 7 Stig Venaas UNINETT 8 Stanislaw Starzak Pol-34 9 Maja NCU Poland Gorecke-Wolniewicz 10 Roland Hedberg CATALOGIX 11 Ton Verschuren SURFnet 12 Henny Bekker SURFnet 13 Miroslav MilinovicCARNET/SRCE 14 Brian Gilmore TERENA 15 Milan Sova CESNET, Czech Rep. 16 Albert E. University of Geneva Schindler 17 Heikki Vatiainen Tampere University of Tech. 18 Sami Keski-Kasari Tampere University of Tech. 19 Janne Kanner CSC/FUNET 20 Yuri Demchenko TERENA 21 Valentino Cavalli TERENA 22 Karel Vietsch TERENA 23 John Dyer TERENA 24 Michael Gettes Georgetown University/Internet 2