DRAFT Minutes of the 4th TF-LSD Meeting

TF-LSD

LDAP Services Deployment

DRAFT Minutes of the 4^th TF-LSD Meeting

29 October 2001, Amsterdam

Agenda
1. Opening, introduction and agenda bashing
2. Minutes of Last Meeting (Antalya, May 13, 2001)
3. Status report on actions from last meeting
4. Report on Nordunet2 Directory and PKI related projects - GNOMIS
5. TF-LSD deliverables:
5.1. Draft of the Privacy document
5.2. Pilot CIP based European wide White Pages index service
5.3. TF-LSD ToR revision and respectively update of Work items, deliverables and teams
6. DANTE NameFlow Update
7. Round of NREN news update
8. Directory related issues in PKI development (including Update on pilot project "Adding Certificate Retrieval to OpenLDAP" and discussion what fields of a certificate to include in the matching rules)
9. Pilot Project proposals discussion
9.1. Project proposals: Definition of a European Education Person (DEEP) and LDAP Schema Registry - DAASI International Ltd
9.2. Pilot Project proposals discussion 1: S/MIME Certificate Collector (MS)
10. Other work items
11. Date of next meetings, AOB and Close
12. Summary of actions
Appendix. List of 4^th TF-LSD participants

1. Opening, introduction and agenda bashing

Meeting was attended by 23 people representing 16 organisations/networks from 11 countries. A list of the attendees can be found in the appendix to these minutes.

2. Minutes of Last Meeting (Antalya, May 13, 2001)

The minutes of the previous meeting held on 13th May 2001 were approved without changes.

3. Status report on actions from last meeting

Action No	Action content	Status
Action 2-1	Teams to take up work on the deliverables	Ongoing
Action 2-5	Diego to publish definition of iris-x skeleton in English.	Ongoing
Action 2-7	Leif and others to inform TF-LSD members about available LDAP/Directory promotional documents and presentations.	Ongoing
Action 2-10	Luuk/SURFnet to inform TF-LSD about DC/X.521 Gateway development and experience.	Ongoing. To be delivered December 2001
Action 3-1	Stig to publish Deliverables and dates to the tf-lsd mailing list.	Done
Action 3-2	Konstantin to place link to LDIF distribution page from NameFlow frontpage.	Done
Action 3-3	Peter to publish results of DAASI's test of different LDAP server software.	Done
Action 3-4	Send last call to TF-LSD mailing list about tokenization and TIO attributes.	Open
Action 3-5	Peter and Roland prepare report on testing LDAP Index Servers and publish via TF-LSD mailing list.	Open
Action 3-6	Brian, Ton and others to look at Peter's Draft Privacy document when available.	Open. Ton contributed to Peter's overview
Action 3-7	Peter to provide regular update on related GGF activity.	Ongoing

There was a specific discussion on Action 2-7. People agreed to the importance of the promotion of directories among NRENs. Leif told that in his opinion the best material to promote the use of Directories at different levels of decision making (e.g., from the faculty level to the level of top administrators) can be found in Peter Valkenburg's presentation on Metadirectories made at the 2^nd TF-LSD meeting. However, there may exist a problem with the Copyright issues. It was decided to contact Peter Valkenburg regarding the possibility to use his materials.

Yuri reminded the meeting that he occasionally posted pointers to public information on Directories and PKI from The Burton Group consulting company that may be useful for NRENs purposes. Peter mentioned that some good information is available in the German language.

Action 4-1. Yuri to collect available information devoted to promotion of LDAP/Directories. All to check afterward the collected information and write their own if necessary.

4. Report on Nordunet2 Directory and PKI related projects - GNOMIS

Anders Lund gave a briefing on GNOMIS Symposium that is to take place in Hurdal near Oslo on November 1-2, 2001. It's expected to gather 40-50 people from the Nordic countries, working language to be English.

The main goal of the Symposium is to identify common problems for Nordic NRENs and particularly Universities, one of which is seen in supporting standard travel of researchers and students between countries, Universities and research sites. One of the solutions for this problem is seen in common IDs. The infrastructure solution is being built using LDAP for all components of a common architecture for Authentications and Authorisation. UNINETT is looking closely at PAPI.

The Symposium plans to target both Universities and Ministries in their activity to promote LDAP/Directories. A follow-on activity is expected.

5. TF-LSD deliverables

5.1. Draft of the Privacy document

Peter Gietz presented his recent results on Privacy issues in Directory Services. After his first presentation at the last TF-LSD meeting in Antalya he has received valuable contribution from the list; the scope of the overview has been extended to general Directory issues and some other new information has been added. Complete presentation is available at http://www.terena.nl/task-forces/tf-lsd/docs/tf-lsd-4-privacy.ppt.

In particular, an important new development identified is the publication of The Platform for Privacy Preferences 1.0 (P3P1.0) Specification by W3C. P3P concerns the privacy of information supplied to websites and defines an RDF/XML Schema to describe privacy policies that can be automatically processed in HTTP client server communication.

Peter informed the meeting that he is aware of work on Privacy aspects of the NEEDS project by Walter M. Tveter from Oslo University that defines the structure of relations between owner, controller and maintainer of the actual data and the data server for the example of NRENs and Universities.

People added comments about the different relations between the three mentioned categories of actors/subjects at the National level and International level. In particular, the issue of obtaining explicit permission from the data owner/person is necessary due to the European Law on Privacy.

After extensive discussion it was suggested to:

1) limit ourselves to EC directives;
2) look more in detail whether P3P fits/satisfies (our) needs of solving/describing privacy issues in directories.

Action 4-2. Look in detail whether P3P fits needs of describing privacy issues in directories

5.2. Pilot CIP based European wide White Pages index service

Peter explained the history of the question. Work was started in DESIRE II. Subsequently, specific issues in using CIP for TIO exchange and how to optimize TIO were discussed with Roland. Henny Bekker added remarks about the current status of the CIP implementation/development.

Roland informed that he continues work on LIMS in the framework of and with funding from the NEEDS and explained that his further work as a coordinator of Deliverable E will depend on a decision of the NEEDS project manager.

Leif explained his position that Roland's priority will be on NEEDS but after the related documents on NEEDS project will be published they may be checked against TF-LSD Deliverable E. In this respect NEEDS deliverables are open.

Action 4-3. Discuss differences and similarities between NEEDS and other NRENs' projects. Suggested participants to be PeterG/DAASI, Konstantin/DANTE, Leif/NEEDS.

5.3. TF-LSD ToR revision and update of Work items, deliverables and teams

A detailed discussion took place on the current status of deliverables and possible changes to the TF-LSD ToR, in particular the expected dates of deliverables.

Proposed changes to the ToR:

1) changed dates of Deliverables B, D, G;
2) added GGF as standardization body to liaise with.

Agreed changes to the list of teams assigned to the deliverables:

1) DavidC, TonV, PeterG will share responsibility for a while for the Deliverable H. Hosting organization for the service was kindly proposed by Ton to be SURFnet
2) Added people to the Deliverable I.
3) added work item to Deliverables E and H to draft requirements for intended services

Action 4-4. Discuss status of Deliverables B and D at the next 5th TF-LSD meeting
Action 4-5. All team leaders to start communication on deliverables to make through the first stage on drafting requirements, outlines, definition whatever is appropriate to which deliverable.

6. DANTE NameFlow Update

Konstantin's information about the recent development of DANTE's NameFLOW consisted of two parts: setting up web access to LDAP Server and TIO interchange.

Konstantin made demonstration of the recently installed web access to LDAP Server that is built on the web2ldap interface by Michael Stroeder. It will replace the current X.500 service that is intended to be decommissioned at the end of 2001. The service is available at http://www.dante.net/nameflow/servers.html

The NameFLOW TIO Exchange proposal is available from the page http://www.dante.net/nameflow/tio/. The service is intended generally for national directory services. The national services' managers collect and re-distribute the directory indices of organisations within their own countries. The NameFLOW TIO Exchange provides a point of index interchange between NRENs. It can also be used by directory managers from organisations in countries lacking the national service.

The service allows its users to exchange their Tagged Index Objects with each other. The participants can upload their TIOs to the service and download TIOs of all other users. New participants have to register (by filling in an HTML form or sending an email message to the TIO Exchange manager in an arbitrary format with the information specified in the form) before they are allowed to access other people's index objects.

Roland Hedberg's TAGS tool was used to generate TIO objects from LDIF files during the service tests.

The service can be extended in the following ways:

certificate-based authorisation for better security;
access lists per TIO or group of national TIOs to control re-distribution of index objects between different countries;
automatic TIO generation when the user provides LDIF file instead of TIO object, automatic LDAP search to gather LDIF if the user provides the LDAP URL instead of LDIF.

Konstantin invited those who use TIOs to try the service at DANTE.

Action 4-6. Those who use TIOs are invited to try the service at DANTE.

7. Round of NREN news update

SWITCH doesn't have much news; they have started recently a new Authentication, Authorisation Initiative (AAI) - http://www.switch.ch/aai/. The issue of privacy is still something to think about.

SURFnet is making progress on X.521/DC naming cooperating on this issue with RedIRIS. Ton promised to report about this at the next meeting.

A new programme TrustSURF that has been started by the SURF Foundation. They are cooperating with Internet2 on EduPerson and Ton was proposed to be a TTC member to supervise the Middleware activity in the TERENA Technical program and liaise together with Brian with Internet2 MACE. The next meeting of MACE will be in February in Phoenix and Ton promised to send report on the meeting.

Action 4-7. Ton/SURFnet to report about X.521/DC naming problem at the next meeting.

For the AA services SURFnet is looking at PAPI (RedIRIS development) and Shibboleth (Internet2 AA service).

Action 4-8. Ton to send report on MACE meeting in February to the list

UKERNA (BG): In the UK there is still no activity on the National Directory Infrastructure because of privacy concerns, and this causes some difficulties in finding names and email information on the web. One of the problems identified is with anonymous access. Since Antalya a few sites in the UK have installed services like Shibboleth, in particular: Edinburgh University is participating in Shibboleth as a provider of information.

Brian underlined that UKERNA is looking at both PAPI and Shibboleth as a possible successor of the currently used ATHENS system. Although PAPI looks pretty straightforward compared to Shibboleth, the latter is rather complicated to start with. When asked whether students will be identified by real or non-real name, Brian explained that the Shibboleth architecture defines different types of communications between students and university and correspondingly different information will be required.

David Chadwick informed the meeting about ongoing research work by the Information Systems Security Research Group at Salford University on Privilege allocation (integration of Authorisation and Authentication) based on using/integration of PKI and Directories. For the practical purposes and pilot services they use Entrust tools. Policy in XML form is included into the certificate and describes the privileges of users.

An EU funded project on building and piloting Attribute certificate infrastructure called Privilege and Role Management Infrastructure Standards Validation (PERMIS) runs from December 2000 till June 2002 and currently has delivered trial Software. PERMIS is validating the use of Privilege Management Infrastructures (PMI) based on the X.509(2001) standard. For more information see http://www.permis.org/.

Another project is "Certificate Retrieval from OpenLDAP" funded by TERENA and NRENs. Many NRENs are interested and are planning to use results of the project. More about current work and status of the project was given in a separate presentation.

Action 4-9. David to send pointer to trial software from PERMIS project to the list.

FUNET: Janne informed the meeting that the Finnish LDAP WG is working to produce a Finnish document on distributed Directory services/infrastructure for Universities. FUNET also participates in the NEEDS project. Janne also mentioned that they are working together with Henny Bekker from SURFnet.

Action 4-10. When the FUNET document on distributed Directory services/infrastructure for Finnish Universities is available, Janne to send it to the list.

DFN (Peter Gietz): Peter informed the meeting that DAASI International is running the competence center DFN Directory Services (DDS) for DFN. One of this project's tasks is to develop the Directory infrastructure for PKI for German NREN. They use special tools to extract Certificate fields from the X.500 Directory and store them in LDAP attributes for convenient searching. Another part of DDS is work on Authorisation infrastructure/tools for different services with directory support.Peter also mentioned that a document on cost reduction by deployment of Metadirectories is available in German, and thought it may be useful for some of TF-LSD members.

Peter also mentioned the Project proposal on Semantic Web Architecture (SEMRA) submitted to the EC in the last Call . If accepted, it will open a new application/activity area for LDAP/Directories for storing Metadata and ontologies.

Action 4-11. Peter to send German document on Metadirectory Directory deployment to the list.

UNINETT: Anders Lund gave an update on recent developments in the NEEDS project that cover a range of topics:

1) use of LIMS (by Roland Hedberg)
2) writing Howto document on how to structure directory information based on the I2 Directory Recipe
3) experimenting with OpenLDAP for Authentication and Authorisation (using an architecture similar to Shibboleth)
4) storing DNS and DHCP information in LDAP as well as using LDAP for a Whois service particularly for storing BGP policies

Leif added that they are experimenting in Sweden with using S/MIME for TIO distribution.

Other people added that there is some movement to deployment of the Global Directory Service at ICANN and using alternative directory services for storing whois data at the IETF.

CESNET (Milan Sova): they are now in the process of deployment of a Directory service and are very LDAP oriented; they also count on results from David Chadwick's project on "Certificate Retrieval from OpenLDAP".

RedIRIS: RedIRIS representatives informed the meeting that their LDAP based Directory services are using LIMS, currently they are modifying software to meet general infrastructure needs and plan to return to LIMS issues later on. However, when asked specific questions about the X.521->DC naming mapping, they referred to Diego as a key person for this development.

Action 4-12. Ton to contact Diego regarding current status of development of X.521->DC naming concept/approach/mapping.

POL34 has the intention to replace the current X.500 service (that is fragmentally already out of service) with LDAP for advanced networking infrastructure and PKI.

GRNET (Michalis): GRNET plans to use LDAP as a central repository for network/infrastructure related information and particularly for Real Time Applications. They also expect that launching school networks will boost use and deployment of Directories.

8. Directory related issues in PKI development: update on pilot project "Adding Certificate Retrieval to OpenLDAP" status

David Chadwick informed the meeting about the status of the pilot project "Adding Certificate Retrieval to OpenLDAP" (http://www.terena.nl/task-forces/tf-lsd/docs/tf-lsd-4-openldap.ppt).

The Project has a duration of 18 months and is funded by TERENA and 5 NRENs (SWITCH, RedIRIS, SURFnet, CESNET, UNINETT). The project goal is to add source code to OpenLDAP to support 2 Internet Drafts on Matched Values, LDAP Schema for PKIs and PMIs. The project's tasks can be split in two groups: Matched Values Tasks and Certificate Matching Tasks

David explained that the project has the intention to develop open source modules and possibly to propose further extensions and detailing of X.509 certificates and LDAP inter-relations. For these purposes he requested community help and contribution, particularly in defining:

User requirements on which fields we should extract and index
and which of necessary extensions to OpenLDAP will be the most useful for NRENs needs.

David was advised to look at the Internet2 Certificate profile and send a properly constructed Questionnaire to the list.

Finally David explained about the difficulties found by his team when working with the OpenLDAP source code: OpenLDAP has virtually no documentation and no comments in the source code. He asked for possible help.

Action 4-13. David to prepare and send questionnaire on community needs for the OpenLDAP Certificate Retrieval tools to the list.
Action 4-14. David to send request for help in finding OpenLDAP documentation to the tf-lsd and openldap-dev mailing lists.

9. Pilot Project proposals discussion

The goal of this Agenda item was to discuss the project proposals that are intended to be submitted to the TTC and are looking for initial evaluation by the TF-LSD/meeting. The authors made short presentations about their projects.

9.1. Project proposals: Definition of a European Education Person (DEEP) and LDAP Schema Registry - DAASI International Ltd

Peter made a presentation on two related project proposals: Definition of a European Education Person (DEEP) and LDAP Schema Registry (http://www.terena.nl/task-forces/tf-lsd/docs/tf-lsd-4-schema.ppt).

Peter informed the meeting that the first DEEP proposal was discussed by the May TTC meeting and approved with 50% funding from the TTP budget under condition that the community will fund another 50%. Some but not enough NRNs agreed to participate in the funding; additional funding may be found from the Internet2 community.

Regarding the background development, Peter informed the meeting that some new developments have taken place in the US EduPerson, however no development has happened in the GridPerson.

Peter outlined the intended update for the new DEEP proposal:

put some of the work on other shoulders (e.g. user requirements survey)
include new developments
focus on harmonisation with the Internet2 attempts
include work on user preferences, privacy statements

Peter also expressed this hope that there is a possibility to have one EduPerson for both US Internet2 and European needs.

Starting his presentation about another intended Pilot Project Proposal on Schema Registry, Peter told that this work is seen as very topical. It has a long history of attempts by the IETF, Open Group and some previous project in Hongkong. There is good chance for the TERENA/TF-LSD to make progress and do valuable contribution to the deployment of LDAP/Directory services.

Peter outlined intended Schema Registry project proposal:

Collection of all existing standardized schema and other de-facto standards (NDS, Netscape)
Meta-data format review
Policy on what and how to register
Software for web based registering of new schema
Business model for running the schema registry as a permanent service

Presenting his view on how to proceed with both or one of proposals, Peter explained that DAASI is interested in proposing and performing both projects but doesn't have enough resources to do both at the same time. His question was which one the community would like to see the first.

Ton replied that he would be interested in having an Overview of existing standards and developments for the EduPerson in general and what's important for Europe.

Leif informed the meeting that he is trying to implement Internet2 EduPerson but has found a lack of many functionalities, e.g. format for CV, course description, etc. Yuri and Michalis mentioned that necessary functionality may be found in the LOM development by IEEE. It was proposed to send pointers about LOM and related IEEE Educational Metadata development to the list.

Action 4-15. Yuri, Michalis and others to send pointers to the LOM and related IEEE Educational Metadata development to the list.

Stig Venas expressed his preference to have development of the Schema Registry first. Other people expressed their concern that it may be too late for many compatibility issues if work on the European EduPerson is postponed. Finally, it was suggested that both proposals should be posted to the list for comments and expression of interest and willingness to contribute funding.

Action 4-16. Post both proposals on Definition of a European Education Person (DEEP) and LDAP Schema Registry to the list when ready and collect expressions of interest and willingness to contribute to funding from the community.

9.2. Pilot Project proposals discussion: S/MIME Certificate Collector (MS)

Michael Stroeder made a presentation on his Project proposal on S/MIME Certificate Collector that had been already posted to the list. His presentation is available from the meeting proceedings at http://www.terena.nl/task-forces/tf-lsd/docs/tf-lsd-4-tpp-certcollect.ppt.

Michael explained the background situation and motivation for the project proposal. LDAP directories are commonly accepted as PKIX repository but there is no globally working directory infrastructure, LDAP servers are hidden behind organizational boundaries and use different ways for storing certificates in the directory. E-Mail certificates are usually distributed via S/MIME or HTTP but there is no easy-to-use standard or common way/procedure for collecting S/MIME certificates and their search and retrieval.

Michael defined his approach to the project task definition as a "real life approach" while he recognizes existing need to deal with organisational directories that have their local naming conventions, storage schemes and access control policies (both administrative and firewall). Using S/MIME simplifies certificates collection because it's a commonly accepted service and MUAs feature; signed S/MIME e-mail contains the sender's Certificate already (if properly configured).

Michael asked for comments on issues related to user acceptance, required features, security and privacy aspects. The discussion revealed a definite interest from the audience in having such a tool.

All 3 Pilot project proposals were unanimously supported and recommended to TTC to consider their funding by TERENA.

10. Other work items

Ton demonstrated two possible solutions for doing Authentication via Internet/web.

The first way is using the mobile telephone as an Authentication device: the web generates a one-time password (challenge) and sends to the mobile - the mobile displays the access code - the user types this password into the web form.

The second solution is based on using a personal banking card together with the special device (provided by the bank): select institution - get challenge - type challenge into device - read reply - print into the web form.

An issue in the latter case is privacy; SURFnet acts as a kind of privacy firewall towards the banks. Banks want to charge for each authentication, but SURFnet is trying to negotiate some fixed fee per student per year.

11. Date of next meetings, AOB and Close

It was agreed that the next meeting will take place in the first full week of March 2002 expecting that it will be held in conjuntion with PKI-COORD and Portal-Coord meetings.

12. Summary of actions

Outstanding actions

Action 2-5. Diego to publish definition of iris-x skeleton in English.
Action 2-7. Leif and others to inform TF-LSD members about available LDAP/Directory promotional documents and presentations.
Action 3-4. Send last call to TF-LSD mailing list about tokenization and TIO attributes.
Action 3-5. Peter and Roland prepare report on testing LDAP Index Servers and publish via TF-LSD mailing list.
Action 3-6. Brian, Ton and others to look at Peter's Draft document when available.
Action 3-7. Peter to provide regular update on related GGF activity.

New actions

Action 4-1. Yuri to collect available information devoted to promotion LDAP/Directories. All check afterward collected information and write own if necessary.
Action 4-2. Look in details whether P3P fits needs of describing privacy issues in directories
Action 4-3. Discuss differences and similarities between NEEDS and other NREN's projects. Suggested participants to be PeterG/DAASI, Konstantin/DANTE, Leif/NEEDS.
Action 4-4. Discuss status of Deliverables B and D at the next 5th TF-LSD meeting
Action 4-5. All team leaders to start communication on deliverables to make through the first stage on drafting requirements, outlines, definition what is appropriate to which deliverable.
Action 4-6. Those who has or use TIO are invited to try service at DANTE.
Action 4-7. Ton/SURFnet to report about X.521/DC naming problem at the next meeting.
Action 4-8. Ton to send report on MACE meeting in February to the list
Action 4-9. David to send pointer to trial software from PERMIS project to the list.
Action 4-10. When the FUNET document on distributed Directory services/infrastructure for Finnish Universities is available, Janne to send it to the list.
Action 4-11. Peter to send German document on Directory deployment issues to the list.
Action 4-12. Ton to contact Diego regarding current status of development of X.521->DC naming concept/approach/mapping.
Action 4-13. David to prepare and send questionnaire on community needs to the OpenLDAP Certificate Retrieval tools to the list.
Action 4-14. David to send request for help in finding OpdenLDAP documentation to the tf-lsd and to openldap-dev mailing lists.
Action 4-15. Yuri, Mixalis and others to send pointers to the LOM and related IEEE Educational Metadata development to the list.
Action 4-16. Post both proposals on Definition of a European Education Person (DEEP) and LDAP Schema Registry to the list when ready and collect expression of interest and willingness to contribute to funding from the community.

Appendix. List of the 4th TF-LSD attendees 29 October 2001

number name organization

1 Peter Gietz DAASI International

2 Ton Verschuren SURFnet

3 David Chadwick University of Salford

4 Janne Kanner CSC/FUNET

5 Brian Gilmore Edinburgh University

6 Henny Bekker SURFnet

7 Thomas Lenggenhager SWITCH

8 Konstantin Chuguev DANTE

9 Michalis Konstantopoulos GRNET

10 Roland Hedberg CATALOGIX

11 Sebastian Szuber PSNC, Poland

12 Maja Gorecke-Wolniewicz NCU Poland

13 Leif Johansson SUNET

14 Milan Sova CESNET, Czech Rep.

15 Roland Staring SURFnet

16 Anders Lund UNINETT

17 Stig Venaas UNINETT

18 Michael Stroeder

19 Carlos Fuentes RedIRIS

20 Jose-Manuel Macias RedIRIS

21 Licia Florio TERENA

22 John Dyer TERENA

23 Yuri Demchenko TERENA

number	name	organization
1	Peter Gietz	DAASI International
2	Ton Verschuren	SURFnet
3	David Chadwick	University of Salford
4	Janne Kanner	CSC/FUNET
5	Brian Gilmore	Edinburgh University
6	Henny Bekker	SURFnet
7	Thomas Lenggenhager	SWITCH
8	Konstantin Chuguev	DANTE
9	Michalis Konstantopoulos	GRNET
10	Roland Hedberg	CATALOGIX
11	Sebastian Szuber	PSNC, Poland
12	Maja Gorecke-Wolniewicz	NCU Poland
13	Leif Johansson	SUNET
14	Milan Sova	CESNET, Czech Rep.
15	Roland Staring	SURFnet
16	Anders Lund	UNINETT
17	Stig Venaas	UNINETT
18	Michael Stroeder
19	Carlos Fuentes	RedIRIS
20	Jose-Manuel Macias	RedIRIS
21	Licia Florio	TERENA
22	John Dyer	TERENA
23	Yuri Demchenko	TERENA