Technical

TF-LSD

LDAP Services Deployment


DRAFT Minutes of the 5th TF-LSD Meeting

12 March 2002, Amsterdam

Agenda

1. Opening, introduction and agenda bashing
2. Minutes of Last Meeting
3. Status report on actions from last meeting
4. TF-LSD deliverables

4.1. Deliverable B. Investigation of the various directory indexing implementations based on the Common Indexing Protocol (CIP) and their interoperability
4.2. Deliverable D. Definition of a European wide White Pages service based on one or more CIP implementations
4.3. Draft of the Privacy document
5. DANTE NameFlow Update
6. Round of NREN news update
7. TF-LSD liaison: Update on recent development in IETF, GGF, Internet2 MACE, OpenLDAP, etc.
7.1. Internet2 EduPerson and Directory related issues/projects in Internet2
7.2. VidMid WG/project in Internet2
8. Directory related issues in PKI development
8.1. Update on pilot project "Adding Certificate Retrieval to OpenLDAP"
9. Status of new Pilot Project proposals approved by TTC: Definition of a European Education Person (DEEP) and LDAP Schema Registry
10. AOB, Date of next meetings and Close
11. Summary of actions
Appendix. List of 4th TF-LSD participants


1. Opening, introduction and agenda bashing

Meeting was attended by 22 people from 14 countries. A list of the attendees can be found in the appendix to these minutes.

Apologies were received from Ton Verschuren (SURFnet) and David Chadwick (University of Salford).
 

2. Minutes of Last Meeting (October 29, 2001, Amsterdam)

The minutes of the previous meeting held on 29th October 2001 were approved without changes.

3. Status report on actions from last meeting

 
Action No Action content Status
Action 2-1 Teams to take up work on the deliverables  Ongoing, Overtaken by Action 4-5
Action 2-5 Diego to publish definition of iris-x skeleton in English.  Ongoing, waiting till RedIRIS publish definition in English. 
Action 2-7 Leif and others to inform TF-LSD members about available LDAP/Directory promotional documents and presentations.  Overtaken by Action 4-1
Action 2-10 Luuk/SURFnet to inform TF-LSD about DC/X.521 Gateway development and experience.  Done
Action 3-4 Send last call to TF-LSD mailing list about tokenization and TIO attributes. Ongoing
Action 3-5 Peter and Roland prepare report on testing LDAP Index Servers and publish via TF-LSD mailing list. Open, to done before 15.05.2002
Action 3-6 Brian, Ton and others to look at Peter's Draft Privacy document when available. Open. 
Action 3-7 Peter to provide regular update on related GGF activity. Ongoing, item in the Agenda
Action 4-1 Yuri to collect available information devoted to promotion LDAP/Directories. All check afterward collected information and write own if necessary Yuri collected pointers to available promotional information. Further work is overtaken by Action 5-3
Action 4-2 Look in details whether P3P fits needs of describing privacy issues in directories  Ongoing
Action 4-3 Discuss differences and similarities between NEEDS and other NREN's projects. Suggested participants to be PeterG/DAASI, Konstantin/DANTE, Leif/NEEDS.  Decided to drop this action and advise discussion between NRENs.
Action 4-4 Discuss status of Deliverables B and D at the next 5th TF-LSD meeting  Done in Agenda items 4.1 and 4.2
Action 4-5 All team leaders to start communication on deliverables to make through the first stage on drafting requirements, outlines, definition what is appropriate to which deliverable.  Ongoing.
Action 4-6 Those who have or use TIO are invited to try service at DANTE.   
Action 4-7 Ton/SURFnet to report about X.521/DC naming problem at the next meeting.   
Action 4-8 Ton to send report on MACE meeting in February to the list  Done.
Action 4-9 David to send pointer to trial software from PERMIS project to the list.  Done.
Action 4-10 When the FUNET document on distributed Directory services/infrastructure for Finnish Universities is available, Janne to send it to the list.  Ongoing
Action 4-11 Peter to send German document on Directory deployment issues to the list.  Ongoing
Action 4-12 Ton to contact Diego regarding current status of development of X.521->DC naming concept/approach/mapping.   
Action 4-13 David to prepare and send questionnaire on community needs to the OpenLDAP Certificate Retrieval tools to the list.  Questionnaire was not needed because of published Internet-Draft on requirements for Certificate Retrieval tools.
Action 4-14 David to send request for help in finding OpenLDAP documentation to the tf-lsd and to openldap-dev mailing lists.  Done, necessary information obtained.
Action 4-15 Yuri, Mixalis and others to send pointers to the LOM and related IEEE Educational Metadata development to the list.  Done
Action 4-16 Post both proposals on Definition of a European Education Person (DEEP) and LDAP Schema Registry to the list when ready and collect expression of interest and willingness to contribute to funding from the community. Done

Yuri Demchenko reminded that in advance to the meeting he sent the update on actions status. Some actions were done but some of them needed detailed discussion at the meeting.

Diego informed regarding Action 2-5 that they are still discussing structure and fields of iris-x skeleton in RedIRIS and will publish it to the tf-lsd list when it is translated in English. The issues being discussed are those that are not addressed in the eduPerson 1.0. Major problem is the vocabulary, which needs to be well defined.

There was detailed discussion about current status of Action 3-4 about tokenization and TIO attributes. Henny informed that they discussed some issues with Peter Gietz, and there was also following discussion on the tf-lsd mailing list. Current suggestions are only good for performance test but seemed not good for large directories where you can have a lot of different exotic searches requesting different object classes. Henny analysed more than 70 thousands requests in a half million entries Directory. Most of them came from central Address Book (central Directory Service) used by Microsoft Outlook users. Therefore he thinks we should not be too picky about what objects we index, perhaps we should index them all (rather than having a policy of indexing a limited number of attributes). Roland Hedberg thinks it might be better to limit the number of attributes to be indexed and looked up. Michael Gettes expressed the I2 wish that eduPerson is useful globally and if it doesn't match our needs, then they will be interested to discuss it.

People discussed which attributes to index (e.g., cn, sn, gn, o, ou, mail, c/co) and how to map them for searching. Particular question was about mapping between canonical country name c (defined in X.521 and used by eduPerson) and other country names co (friendlyCountryName attribute defined in IPlanet Directory Server Object Classes). Henny proposed to use it as a part of filter setting. Roland thinks it can be matched in the index server when an organisation name is linked to the country name. Konstantin Chuguev proposed to use an extension x-o and think about possible format for this extension. He agreed to write a position paper based on his experience. The paper will be put on the list and a poll taken on the list.

Action 5-1. Michael Gettes to send the list of attributes they are indexing for different object classes.

Action 5-2. Konstantin Chuguev to write a position paper on extended x-o attribute format and take a pool on the list.

Peter also suggested that it would be worthy to move CIP to the standard track after finishing related TF-LSD deliverables.

Action 4-1 - Yuri Demchenko sent pointers to promotional documents from The Burton Group, which he found the most interesting, and discovered a lot of other documents. We can create a list of those documents, but we cannot store them because of copyright issues. However, all these documents are rather technical and oriented on commercial companies. It's possible, we should write our own document to promote the use of directory for Academic and Research community. Thomas Lenggenhager noted that it's not so hard to convince organizations to set up directories. It's hard to get them to open their directories up to external queries because of privacy concern. Henny thinks it's not that bad. The basic information they would like to disseminate, but some attributes they want to keep private. Michael Gettes says they have been looking at these sorts of issues in I2. It's almost impossible to get permission from universities even for already public data.

Summarising discussion, Peter Gietz told he is a bit hesitant to suggest another document whilst other deliverables are still not completed. John Dyer said he strongly recommended that the TF did not dissipate its efforts and should focus on existing deliverables. It was agreed, that Yuri will create a separate list of available promotional documents on Directories and add a request for comments to be sent to him. Worthy comments will be published on the server.

Action 5-3. Yuri Demchenko to create a separate list of available promotional documents on Directories and request comments to be sent to him. Worthy comments will be published on the server.

Peter Gietz pointed out that more attention should be paid by team leaders to push forward TF-LSD deliverables (Action 4-5: All team leaders to start communication on deliverables to make through the first stage on drafting requirements, outlines, definition what is appropriate to which deliverable). He reviewed current list of Deliverables and Teams (http://www.terena.nl/task-forces/tf-lsd/tf-lsd-tor-teams-update2001.html). Particularly, there was a need to find a new leader for the Deliverable D (previously was led by Roland Hedberg). All were willing to contribute and Peter agreed to take coordination (only) role on this deliverable. Chris Van Der Merwe from ARNES was added to the Deliverable D team.
 

4. TF-LSD deliverables

4.1. Deliverable B. Investigation of the various directory indexing implementations based on the Common Indexing Protocol (CIP) and their interoperability

4.2. Deliverable D. Definition of a European wide White Pages service based on one or more CIP implementations

Items 4.1 and 4.2 were discussed in the Agenda item 3 on actions status.
 

4.3. Draft of the Privacy document

Peter distributed printed copy of the Draft of the Privacy document (currently available from the meeting's Programme page at http://www.terena.nl/task-forces/tf-lsd/docs/Privacy-TF-LSD-Del.-Cv1.doc). He commented on the structure of the document. The document contains introduction about the purpose and need for this document. Privacy is not only an issue described by politicians, business people are also getting interested in privacy. There is a big interest on the consumer side as well, and this will influence the commercial sector.

Big issue is protecting the information from spammers and this needs to be thought about when creating the index. People may want to publish their data outside of their organisation even Europe wide but they want protection from the misuse of their data.

People think that a solution may be in crawler authentication (and detection) and further application of the crawler policy. Peter suggested that several options are possible: My entry is only visible from a) My domain, b) My country, c) The EU countries, which has the same legislation or d) I don't care. Michael suggested that this might be different for different attributes in the directory. It was agreed that this could quickly lead to the need for access control lists (ACL) to be put in place. Michael Gettes says I2 is working on how to granulate the access to attributes; Stamford College is leading the way in the US.

DAASI is doing some implementation work on the crawler policy for SURFnet that includes definition of the Schema for Crawler Policy.

Further discussion revealed division of thoughts on whether or not to treat crawlers as ordinary users or treat them as a special case. Commonly observed difference in crawler behaviour (comparing to standard user query) is that crawler attempts to search all subtree with all attributes. Michael would like to be able to differentiate. That would allow them to say, I will make all my information publicly available, but not to crawlers. This would need the availability of crawler detection for malevolent crawlers. Michael wants to be able to detect crawlers so he can understand their requirements and than make available the appropriate information, but legitimately and under a strict contract of understanding what can be done with the data. There was a comment that it might be useful to allow users to mark data whether they are allowed to be copied.

Peter Gietz agreed to publish a document on Crawler Policy on the list for discussion and possible contribution.

Peter briefed on Chapter 2. EU Legislation. It was agreed that the document should focus on EU-legislation, not national laws. The Directive 95/46/EC provides quite good framework for harmonising legislation in Member States on personal data processing. Section 2.2 provides basic definitions, which people agreed to accept. Content of the Directive was described using the structure suggested by Herbert Burkert (http://www.lex-electronica.org/articles/v2-3/burkerfr.html).

Chapters 3 and 4 will provide generic description of the WP Indexing system and existing technologies for privacy protection (Privacy Enhancing Technologies; P3P and Security features in LDAP).

Chapter 5 of the document - Organisational and Technical Recommendations will be the most important part of the document, currently it consists of just bullet points.

Peter asked for comments on the structure of the document. Ken made remark that the Privacy-Enhancing technologies should be more properly described as the Privacy Preservation technologies (PPT). Privacy cannot be enhanced by technology, just eroded.

Ken thinks PPT is a subject to your security domain. It should define what goes outside and what to be secured. In case of public WP directories we are talking about Affiliated Directories that need to exchange information. Affiliated Directories may transfer meta-information to other security domains but don't want to let that other domains to transfer that information on to other agencies. Ken can send a URL of a document of their first thoughts on this.

Action 5-4. Peter to publish Crawler Policy document on the list for discussion and possible contribution.

Action 5-5. Ken Klingenstein to send URL on Affiliated Directories to the tf-lsd list.

Action 5-6. All to comment on the Privacy document structure.
 

5. DANTE NameFlow Update

Konstantin informed that they are now in process of changing hardware for the NameFlow server, current platform is very old.

He posted invitation to test NameFLOW TIO Exchange (available at http://www.dante.net/nameflow/tio/) in mid January 2002 but very few people have tried it so far, it is working in a prototype version now. Main concern is still privacy. Privacy needs to be addressed before a service can be offered, else people will not want to put their data in. He proposed a number of questions to discuss:

1) upload and download protocols: it's based on HTTP where people can read entries as an HTML page; for robots - use of HTTP GET/PUT/DELETE methods suggested. The question is this enough to manage TIO objects, alternatives can be zip over HTTP or others;

2) content-type: do we need a special type for TIO transportation purposes?

3) the uniqueness of the TIO object: RedIRIS are using the object ID to identify objects uniquely. Should DANTE use this scheme or should they use distinguished names?

4) modified-since: next thing to be implemented for TIO identification;

5) TIO subentry: specifying naming context if the client needs only a subset (like all the indices for a country);

6) bulk retrieval: do we need special protocol for this?

7) secure transfer: it is possible to use secure HTTP connections, however to be aware that it adds an extra level of complexity;

7) TIO's storage: keeping objects in the file-system rather than the database simplifies access and transfer issues.

People made prompt comments on above listed questions and agreed that Konstantin will summarise the discussion and send to the list for further comments.

Particular discussion was about TIO object identifier and using create-time together with URI. People also pointed out that most answers and solutions can be found in CIP, e.g. as regarding TIO "content-type" when using CIP protocol/commands for push operations. For secure transmission it was advised to look at specific CIP recommendations, S/MIME or SAML.

Action 5-7. Konstantin to summarise the discussion and send to the list for further comments.
 

6. Round of NREN news update

REDIRIS (Diego Lopez) - they established LDAP based Directory Service for RedIRIS and are encouraging sites to use the directory. LDAP is running on a Linux box. They have three separate Directories: one for internal use, one for the referral for their network and one for CIP based indexes. Up-to-date information on the project is at http://www.rediris.es/ldap.

POLAND - They've just received funding for 18 month project until August 2003. The general idea is to implement LDAP and services around it, including White pages, indexing portals, directory based services in the grid computing, access to library resources. They are in the process of setting up the project web server. They faced a problem of correct spelling for Polish name normally using non-Latin1 characters. UNICODE seems to be suitable for this tasks and is well integrated into web browsers. YuriD advised that they look at fallback rules when working with personal data spelling and searching.

CARNET (Miroslav Milinovic) - They have done some research and expect to start with some directory oriented projects in Croatia. Some are happy to be involved, other not, so he is looking forward to the directory promotion document. Future project website - http://ds.carnet.hr/ldap/

ARNES (Chris Van Der Merwe) - At the moment ARNES is not leading by example. Experiment is rather private at the moment.

DFN/DAASI (Peter Gietz) - The DFN funded project on Directories ends in January 2003. The main directions of development/activities in deployment of directory based services at DFN:

1) White Pages services: review the white pages service for universities;
2) authentication: set up a unified login for UNIX and Windows. One soulution found is based on Active Directory. Next the project will experiment with an OpenLDAP/Samba solution.;
3) PKI: storing Certificate information in the LDAP attributes (Internet Draft had been submitted to IETF and posted to the tf-lsd mailing list).

Peter explained that proposed I-Draft is actually exploring alternative approach to earlier submitted I-Drafts by David Chadwick on server side Certificate and CRL matching rules and values. The motivation for this is to incorporate it in an attribute based solution using CIP and TIO. This solution can also be applied for an OCSP Service, that allows online Certificate status retrieval.

SURFnet (Henny Bekker) - SURFnet is doing a lot on LDAP, they have a 1st level server with 300 organisation connected and other 50 LDAP servers in the hierarchy. Moving from X.521 to DC naming. Based on their customers' requirements, they are thinking about the extension of the eduPerson with some specific features for NL Education and Research community. They have an LDAP crawler but need to define the Crawler Policy. Four currently operating crawlers are feeding into Central Address book with more than 70000 entries in it. RADIUS based access service to licensed software is built on top of LDAP. Next step is deploying national authentication system for wireless networks. People were interested to know more about LDAP Schema for RADIUS. Michael Gettes made remark that they in Internet2 needed to add some attributes to Person Object to use with RADIUS based modem access system.

Action 5-8. SURFnet to publish LDAP Schema for RADIUS based authentication service.

CESNET (Milan Sova) - CESNET is using LDAP for RADIUS and storing network access/administration policies. They also use LDAP for authentication and authorisation and for storing Certificates (e.g. to support S/MIME Certificate requests). In White Pages services they are working on policy for what information is private and what is public. Milan also mentioned that they are working on Perl library for creating LDAP applications.

NEEDS and UNINETT (Anders Lund) - First, Anders updated on NEEDS Project and added some specific information on UNINETT. Last NEEDS meeting was in January 2002 in Finland. They are using the software from Roland and have three test servers in Norway, Finland, Sweden. Interface is written by Stig Venaas in PHP, LDAPv3 extension to PHP was needed. All were invited to test the service. There is some delay in deploying TIO exchange network - TIO-net. They have been working on contracts between the NRENs and the Universities to maintain TIO-net. In UNINETT, focus has shifted from White Pages services to Directory/LDAP based authentication and authorization that will use common ID for students. Working on a single certificate per student - will be based on directory. UNINETT hope to use some of the NEEDS software to support this. Stig has written something on this that should be available in English from the UNINNET web pages.

GRNET - running an LDAP referral service. Video conferencing uses LDAP to acquire user profiles for video conferencing.

SWITCH (Thomas Lenggenhager) - No news, they are still using old X.500 QUIPU (88) implementation. Hope to replace it with LDAP this year. They also have major shift from White Pages to authentication and authorisation. They are working on how to prevent White Pages from misuse, considering 3-way handshake for query submitting.

EuroPKI - They use OpenLDAP to store X.509 Certificates in binary. They use SSL client to authenticate with the server and are investigating how to insert authorisation into SSL services for ftp and telnet. There is an intention to use LDAP Directory as an ACL (access control list) server.
 

7. TF-LSD liaison: Update on recent development in IETF, GGF, Internet2 MACE, OpenLDAP, etc.

IETF (Roland Hedberg) - There are 2 groups dealing with LDAP in IETF. LDUP WG (LDAP Duplication/Replication/Update Protocols) is dealing with replication issues, another one LDAPbis (LDAP (v3) Revision) WG is chaired by Kurt Zeilenga and RL Morgan is revising LDAP related RFCs and shepherding them through the Internet Standard process. This group is doing well and making progress. Since the LDAPEXT WG (LDAP Extension) was closed, there is no place to discuss new stuff.

Michael Gettes made a note that we are seeing documentation of best practice and stuff like that are coming out of TERENA and I2 directory related activities. He offered to post the best practice on groups from I2 to the TF-LSD list.

Note. Information has been sent at the moment of writing these minutes:
Practices in Directory Groups - http://middleware.internet2.edu/dir/groups/draft-internet2-mace-dir-groups-best-practices-01.html

OpenLDAP (Stig Venaas) - Open LDAP-2.1 will be released in a couple of months. OpenLDAP-2.1.0alpha is currently available for testing, beta will be in a few weeks. Major developments: lot of internal re-writes, bug fixes, optimizations; Unicode support added (in particular for Cyrillic); Schema checking; Certificate validation in TLS; certificate exact matching; Ipv6 support (although was already in 2.0).

GGF4 (Peter Gietz) - Grid Information Services Area was the major stronghold of LDAP in GGF. The whole group was LDAP oriented, but there has been a strong move towards distributed Relational Databases Information Services. This seems odd since LDAP can provide the facilities required. They want to build unified Relational Approach to Grid Information Services. GridPerson is sort of dead, GGF is going to use eduPerson instead.

Ken raised the issue of whether GGF was a good forum for global standardization. They are changing their interests very often. In the case of CP WG they never moved to closure, on the standard, just on the model. He is thinking whether campuses can provide common solutions/tools for Grid applications and Grid community. He observes that there are much less inconsistency than gaps between campuses and Grids.
 

7.1. Internet2 EduPerson and Directory related issues/projects in Internet2

Ken Klingenstein made overview of Middleware projects and developments in Internet2. In the US the campuses are paying a lot more attention about who is in the directory. They are going through un-bundling of services (email, building access, portal access) and they need people to be in the directory to get these. The world of P2P is getting very confusing. When Ken sees P2P he sees a lot of middleware issues. There are many groups working in it, but it needs to be on our radar. They are releasing KX.509 that can issue a short-term certificate. CP for HighEd is finished, they have also a lightweight CP policy for use in the S/MIME context.

Shibboleth is a major Internet2 Middleware development to support inter-institutional sharing of web resources subject to access control. Shibboleth is heavily based on SAML (Security Assertion Markup Language - http://www.oasis-open.org/committees/security). SAML describes security assertions that are encoded in XML, profiles for attaching the assertions to various protocols and frameworks, the request/response protocol used to obtain the assertions, and bindings of this protocol to various transfer protocols (for example, SOAP and HTTP). Bob Morgan was heavily involved and carried it along.

Shibboleth alpha-code will start shipping at the end of this week (won't include the screen funstionality - too complicated for an alpha release); hope to have out as open source in July, having problems with the IPR issues. IBM is writing a resource administrator screen.

The Shibboleth has got a lot of interest from the American library community. They are promoting AA/Shibboleth to industry as well. NISE (Wall Street people) were given a presentation on AA and Shibboleth by Ken.

There is an interest from Internet2 in outcome of the Liberty Alliance (formed against Microsoft Passport) that looks forward to a common identity on the Internet, but they haven't built the market place yet.

Ken demonstrated a Middleware map that covers all the areas in which they will work. One of the ways in which they are going to work together in future is virtual organisations.

They also started work on meduPerson for the medical community, that is much like eduPerson but with specifics and extended controlled vocabulary.

Michael Gettes updated on MACE-Dir Working group major development: eduPerson directory schema, the Directory of Directories for Higher Education (http://middleware.internet2.edu/dodhe/), and the LDAP Recipe.

DoDHE's major goals include an item to investigate and develop a service for directory searching, otherwise referred to as a "Web of People". Right now there are only 12 schools involved in the project. They manufactured a test last year that simulated 500 directories, so pretty sure it will scale. Expect people to be compliant to the eduPerson and its requirements. Among tools to be developed there is an LDAP analyser that will allow discovering problems in LDAP installation.

Next version of eduPerson 1.5 will be oriented towards Shibboleth. ("Club - Shib" Attributes). They have come up with a new attribute called eduPersonExtension which will allow eduPerson extension (e.g., it can contain a URN). This is a way of sharing data in a structured consistent form.

There will be a number of documents produced as NMI deliverables: Directory Groups documents, meta-directories, affiliated directories, LDAP-recipe, etc.

Michael explained directory issues in Bridge CA's. In a standard PKI it's a hierarchy. In a bridge environment there is a relationship (bridge) between domains. Certificates are stored in directories. Directory discovery is achieved by directory chaining, but in most directory implementations chaining does not stay up, it falls over between different implementations.

I2 has used the IPlanet directory to have a register of directories (this can also be done in OpenLDAP now as well). Can thus use directory referrals to reach further up the tree. This work is going to be applied to the federal Bridge in the near future.

Michael also informed about their experience with Metamerge Integrator (http://www.metamerge.com) as a directory integration middleware. This is not a Metadirectory tool but it provides a number of solutions for database and directory integration, provisioning, web services and message bus technologies. Example is LDIF transformer. It reads an entry in one format, undertakes a transformation and outputs it. Written in Java. This is available to the higher Education community, but you need to apply for a free licence. Two large institutes in the Netherlands are using it.
 

7.2. VidMid WG in Internet2 (Egon Verharen, SURFnet)

Egon Verharen made the presentation on Internet2 VidMid VideoConferencing WG (of which he is a chair) status and developments. VidMid VC was established by the Internet2 Middleware Initiative and ViDe, the Video Development Initiative, and is a component of NMI (NSF Middleware Initiative). The goal is to develop set of simple, authenticated desktop VC clients, along with the associated directory and authentication components. Video conferencing software does not normally know how to use directories for authorisation and authentication.

Egon made overview of the VidMid VC WG deliverables:

1) Draft on VidMid Videoconferencing Scenarios (http://middleware.internet2.edu/video/draft-internet2-vidmid-vc-scenarios-01.html) - Several use scenarios are being developed to investigate the middleware requirements for videoconferencing.

2) CommObject: An LDAP Infrastructure for Video and Voice Over IP (http://middleware.internet2.edu/video/draft-johnson-h323-ldap-infra-01.doc) - describes an LDAP infrastructure for video and voice communications over IP, defines general CommObject class and subclasses H323Identity, H323Zone, sipIdentity, vrvsIdentity, etc., which provide a way to represent endpoints on the network as well as entire networks of endpoints. There will be a special object that you can put in your enterprise directory to point to the videoconference directory.

The work done on H323 object classes is sent to ITU. The SIP related development will go to the IETF. The ViDeNet Directory has its own web page http://www.vide.net/.

Egon also gave some information on VidMid Video-on-Demand WG status. They have Draft of VoD scenarios online (http://www.ait.utk.edu/VidMid/VoD/scenarios/scenarios.html), White paper on role of directories in VoD that will be included in NMI 1.0 release (Mayl 2002), and are exploring the use of Shibboleth in Digital Rights Management, which is an important issue in VoD.

Egon summarised that VidMid is "on speed" and contribution is welcome from this group, in particular, on published draft documents in directory related issues.

Egon's presentation is available at http://www.terena.nl/task-forces/tf-lsd/docs/CAMP-TFLSD-vidmid-update.ppt
 

8. Directory related issues in PKI development

8.1. Update on pilot project "Adding Certificate Retrieval to OpenLDAP"

The presentation was cancelled with apologies from David Chadwick. Yuri distributed excerption from the first three bimonthly reports on the project sent by David Chadwick to TERENA and commented that the project is going well and in accordance to the schedule. Some trial software is expected in Autumn.

Because the project is funded by TERENA with the contribution from NRENs, we need to establish the meeting of the Review panel consisting off NRENs representatives contributing to the project. Date to be set offline.

Action 5-9. TERENA Secretariat to set up the date for the Review Panel on Pilot project "Adding Certificate Retrieval to OpenLDAP".
 

9. Status of new Pilot Project proposals approved by TTC: Definition of a European Education Person (DEEP) and LDAP Schema Registry


DEEP Pilot project proposal was discussed at TTC on January 21, 2002 (http://www.terena.nl/ttc/minutes/ttc20020121.pdf) with decision made: "It was agreed that establishing the need (or not) was a vital first step and as a result, the TTC is willing to fund the Survey of Requirements from the TERENA budget to a maximum of 2000 euros. The TTC would like that work completed within the proposed 3 elapse months. The TTC will also consider funding the remainder of the work, but any approval would be dependent of the findings of step B and therefore no commitment can be given at the moment." Information about this decision was sent to the TF-LSD mailing list. Peter Gietz told that he is in the process of negotiation with TERENA Secretariat, and will be ready to start the survey after final agreement is reached.

There was more detailed discussion on other Pilot project on LDAP Schema Registry. TTC decision was "that TERENA could fund 50% of the total amount requested, provided the other 50% can be raised from the community in the form of earmarked contributions from at least 3 NRENs".

Michael Gettes suggested that it's important to decide what Schemas and what information to be put into Registry, e.g. how to decide whether Schema is enough popular, because Schema itself might be useless if not provided with the documentation. Peter explained that one of Deliverables will be definition of the Policy and metadata for Schema registration.

The poll of those present revealed that the following NRENs/representatives will be interested to support the project with amount of approximately 5000 Euros: CESNET, RedIS, Poland, UNINETT. Support also will be requested from DFN, UK/JISC. Internet2 will be ready to contribute effort but not money.

Ken made a general comment that Registries issue is an important one, and he see at least three registries that should be deployed as soon as possible: LDAP Schema Registry, XML Namespace Registry and Registry for Virtual Organisations.
 

10. Date of next meetings, AOB and Close

Next meeting will be on Sunday 2 June 2002 next before the TERENA TNC2002 Conference.

It was agreed that meeting will take half a day and will contain only presentations on the deliverables. It may also include an IETF update by Bob Morgan.
 

11. Summary of actions

 
Action No Action content Status
Action 2-5 Diego to publish definition of iris-x skeleton in English.  Ongoing, waiting till RedIRIS publish definition in English. 
Action 3-4 Send last call to TF-LSD mailing list about tokenization and TIO attributes. Ongoing
Action 3-5 Peter and Roland prepare report on testing LDAP Index Servers and publish via TF-LSD mailing list. Open, to done before 15.05.2002
Action 3-6 Brian, Ton and others to look at Peter's Draft Privacy document when available. Open. 
Action 3-7 Peter to provide regular update on related GGF activity. Ongoing
Action 4-2 Look in details whether P3P fits needs of describing privacy issues in directories  Ongoing
Action 4-5 All team leaders to start communication on deliverables to make through the first stage on drafting requirements, outlines, definition what is appropriate to which deliverable.  Ongoing.
Action 4-6 Those who has or use TIO are invited to try service at DANTE.  Ongoing
Action 4-10 When the FUNET document on distributed Directory services/infrastructure for Finnish Universities is available, Janne to send it to the list.  Ongoing
Action 4-11 Peter to send German document on Directory deployment issues to the list.  Ongoing
Action 4-12 Ton to contact Diego regarding current status of development of X.521->DC naming concept/approach/mapping.  Ongoing
Action 5-1 Michael Gettes to send to the tf-lsd list the list of attributes they are indexing for different object classes.  
Action 5-2 Konstantin Chuguev to write a position paper on extended x-o attribute format and take a pool on the list.  
Action 5-3 Yuri Demchenko to create a separate list of available promotional documents on Directories and request comments to be sent to him. Worthy comments will be published on the server.  
Action 5-4 Peter to publish Crawler Policy document on the list for discussion and possible contribution.  
Action 5-5 Ken Klingenstein to send URL on Affiliated Directories to the tf-lsd list.  
Action 5-6 All to comment on the Privacy document structure.   
Action 5-7 Konstantin to summarise this discussion and send to the list for further comments.  
Action 5-8 SURFnet to publish LDAP Schema for RADIUS based authentication service.  
Action 5-9 TERENA Secretariat to set up the date for the pilot project "Adding Certificate Retrieval to OpenLDAP" Review Panel in Autumn  

 

Appendix. List of the 5th TF-LSD attendees 12 March 2002

number name organization
1 Bekker, Henny SURFnet
2 Chuguev, Konstantin DANTE
3 Demchenko, Yuri TERENA
4 Derenale, Corrado Politecnico di Torino
5 Dyer, John TERENA
6 Hedberg, Roland Catalogix/NEEDS
7 Gettes, Michael Georgetown University
8 Gietz, Peter DAASI International
9 Gorecka-Wolniewicz, Maja NCU
10 Klingenstein, Ken Internet2
11 Lenggenhager, Thomas SWITCH
12 Lopez, Diego RedIRIS
13 Lund, Anders UNINETT
14 Macias, Jose-Manuel RedIRIS
15 Milinovic, Miroslav CARNet / SRCE
16 Saragiotis, Panagiotis GRNET
17 Sova, Milan CESNET
18 Szuber, Sebastian PSNC
19 Van Der Merwe, Chris ARNES
20 Venaas, Stig UNINETT
21 Verharen, Egon SURFnet
22 Wolniewicz, Tomasz NCU
     



TERENA Technical Contact: Yuri Demchenko <demchenko@terena.nl>.


HomeInformationConferencesInnovationTechnicalLibraryNews
| Home | Information | Conferences | Innovation | Technical | Library | News |

Updated
Copyright TERENA