[14:59:02] --- tdchayes has joined
[14:59:20] --- tdchayes has left
[15:20:29] --- ggm has joined
[15:20:44] <ggm> ggm scribe?
[15:26:37] <ggm> http://www.ietf.org/ietf/03nov/pkix.txt
[15:27:26] --- tdchayes has joined
[15:27:34] --- mark.ellison has joined
[15:30:48] <ggm> agenda bashing/administrivia phase
[15:32:25] <ggm> LDAP won't be discussed, Dave Chadwick couldn't make it to IETF. co-author here and can answer Qns
[15:32:38] <ggm> (its on agenda so should be noted as not to be discussed)
[15:33:03] <ggm> new RFCs got up. two of them.
[15:33:15] <ggm> perm id. IESG comments will require new draft.
[15:33:27] <ggm> looking for expert assistance on non-PKIX issues (eg URNs)
[15:33:49] <ggm> CMP, CRMF need input files so IESG comments can resolve. need editor.
[15:35:46] <ggm> logotypes 3 IESG comments being addressed. proxy certs going
[15:36:05] <ggm> scvp, policies for ac. QC, ECC, NIST curves, path building 'nearly there'
[15:36:35] <ggm> SCVP. new draft doesn't address all the comments. went early to get mtg deadline. should make WG last call
[15:36:45] <ggm> aiming for AD by Jan 2004
[15:36:52] <ggm> Policies for AC
[15:37:09] <ggm> in WG last call, sound, resolve comment issues. But demand not demonstrated
[15:37:37] <ggm> .
[15:37:51] <ggm> options: forward -> standards, forward ->: informational, kill
[15:38:06] <ggm> (kill is not appropriate)
[15:39:39] <ggm> ggm Q about feelings about ACs
[15:39:46] <ggm> Polk. doesn't extend 3281.
[15:40:27] <ggm> Kent AC not panacea, more than not useful
[15:41:17] <ggm> Tim is on the lack of adoption of AC, concern adding policy facilities was unneccessary. adding capability which wont be used
[15:41:57] <ggm> Tim. need policies to be useful.
[15:42:20] <ggm> Tim take to list.
[15:42:55] <ggm> Tim hands show for standards-track vs non-standards
[15:43:11] <ggm> its not clear for standards track, don't-cares had it.
[15:43:31] <ggm> QC. new draft, no techn issues remain. ASN1 issues over syntax variances
[15:43:45] <ggm> WC last call after this meetng, forward to ADs asap
[15:44:55] <ggm> path building. new draft, clarfied goals.
[15:44:58] <ggm> ONGOING work
[15:45:17] <ggm> subject id method, PK algs, LDAP specs, 3279/3280/ OCSP
[15:45:34] <ggm> SIM. new draft, tech issues remain. aim for WG last call Feb 2003
[15:46:15] <ggm> PK algs. added editor, excluded RSA KEM, draft reqd before Seoul, WG last call to come, RFC by following meeting
[15:46:24] <ggm> RSA KEM draft may come separately
[15:46:43] <ggm> LDAP specs. mature. 1-2 more drafts. WG last call by Seoul
[15:47:11] <ggm> 3279/3280. new lead editor. path validation tests being performed. AD's qns. do we have to name participants in testing?
[15:47:31] <ggm> <floor/AD> yes.
[15:47:50] <ggm> Tim ok then that means we have to wait until everyone passes. they want to announce pass seen under NDA so far.
[15:48:06] <ggm> Aim to have with AD by April 2003
[15:49:17] <ggm> New Work. Name comparison spec. eds required. to proceed in parallel with 3280. permits more complex matching techniques
[15:49:40] <ggm> Other docs, orphans at this point or not progressing
[15:51:45] <ggm> SIM draft.
[15:52:02] <ggm> need to be able to pass non-disclosable info in a PKC. eg social security numbers.
[15:52:13] <ggm> initial proposal was to do hash of the value.
[15:53:03] <ggm> detail is to add passwd/random values RA adds second random number, multiple hash iterations, to prevent pre-calc attack by client. 'all parties contribute some randomness'
[15:53:16] <ggm> open issues.
[15:53:44] <ggm> Sim extension or in OtherName? new draft has extension. orig draft had OtherName.
[15:57:25] --- mark.ellison has left
[15:57:34] <ggm> risks of being able to brute-force things like the social-security ID if one value is known
[15:58:25] <ggm> AD thinks extension is overkill. OtherName is kind-of designed to do this.
[16:03:22] <ggm> TIm issues in the computation of the signed state of these things. do we have the right model/values?
[16:07:39] <ggm> AD. this is just a different identifier. I reiterate this
[16:09:28] <ggm> Kent. this is about making the number part of the DN, without disclosing the number value.
[16:11:16] <ggm> (discussion about use to disambiguate DNs otherwise colliding)
[16:12:46] <ggm> Qualified . Profile. son of 3039
[16:13:00] <ggm> sorry Qualified Certificates Profile. son of 3039
[16:13:14] <ggm> author believes document is done.
[16:13:27] <ggm> remaining issues, ASN1. 1993. to use or not? minor ref updates
[16:16:05] <ggm> discussion on list about document. concerns it should have been renamed, freeze on x.509 defect resolution, and new RFC which doesn't invalidate 3039.
[16:16:13] <ggm> author believes otherwise on all counts.
[16:17:26] <ggm> WG chairs concur with Author. these comments were not adopted
[16:18:57] <ggm> ETSI collaboration. depends on progression, to do inter-standards body normative references/lockstepped standards
[16:21:45] <ggm> Cert Path Building.
[16:23:25] <ggm> easy to do, hard to do well. interop problems. need generic path building guidance, to work with any vendors PKI.
[16:25:46] <ggm> good description of the richness of the problems.
[16:27:08] <ggm> 4 decisions. building from trusted root (reverse) or end entity (forward)
[16:27:08] <ggm> methods that may make cert path building more efficient. find 'best path first'
[16:27:13] <ggm> common flaws of path building modules
[16:27:16] <ggm> simplifying the decision tree
[16:29:51] <ggm> comments seeking more prescriptive language. Authors don't want SHOULD and MUST. not that kind of document.
[16:29:51] --- jis has joined
[16:31:08] <ggm> need to do more language cleanup. drop synonyms for preferred value
[16:32:32] <ggm> Trust.. need defn. ref 3280 concepts. avoid snakepits
[16:36:04] <ggm> need input.
[16:37:25] <ggm> AD on use of NONCES in OCSP
[16:38:07] <ggm> discovered RFC doesn't require clients or servers to do NONCE behaviours
[16:38:13] <ggm> did poll
[16:42:27] <tdchayes> Is Mike presenting the new "server-supports-nonces" extension?
[16:45:34] <ggm> yes. but I don't follow the discussion. its got very confusing.
[16:45:43] <ggm> I'll try and track it better for you. [sorry]
[16:46:04] <ggm> damn. he sat down again, Tim is getting back online.
[16:46:30] <tdchayes> I'm familiar with the discussion. Just curious which extension - the one with a boolean flag?
[16:47:25] <ggm> BOF on use of PKI in IPSEC, thus nov 13, 0900-1130 salon F
[16:47:34] <ggm> [ok. want me to yell out anything about this NONCE stuff?]
[16:48:09] <tdchayes> no, I'll ask the list. Thanks
[16:48:21] <ggm> next presentation.. steve hanna, OASIS PKI TC. obstacles to PKI deployment. survey
[16:48:29] <ggm> sorry I failed. I was just asleep at the wheel.
[16:49:41] <ggm> PKI tc, around for a year. successor to PKI forum
[16:49:41] <ggm> 15 voting members, custs, vendors, experts
[16:49:46] <ggm> open to any oasis member
[16:50:28] <ggm> find obstacles to PKI deployment, figure out priorities. improve action plan. not a standards body, or trade group
[16:51:36] <ggm> 2
[16:51:56] <ggm> sorry 216 survey responses. 44% IT mgt/staff remainder developers, consultants etc.
[16:52:13] <ggm> 60/25/6 % northam. europe asia
[16:52:38] <ggm> many 5+ years experience in infosec/privacy. 90% deployed PKI, developed s/w -experienced
[16:53:29] <ggm> weighted methodology, to ask for most/important/not-important apps. also ranking on other apps. all apps except secure RPC at least 'important'
[16:53:49] <ggm> nice graph of everything. hard to type in. but clearly people think a LOT of stuff is important. doc signing the most, web server
[16:54:09] <ggm> security next, secure email, vpn, ecom, sso, secure wifi, code signing RPC and other apps
[16:54:44] <ggm> ranked obstacles, same methodology. no obstacle ranked as not an obstacle. 92% said would use PKI more if obstacles removed
[16:54:49] <ggm> lack of support was top :-)
[16:54:56] <ggm> cost/pki-not-understood
[16:55:18] <ggm> poor interop. hard to get started. hard fo rusers. lack of mgt. too much legals, harder IT maintainance. other obstc
[16:56:13] <ggm> write-ins included insufficient ROI. enrollment costs too high. revokation hard.
[16:57:12] <ggm> decided to do followup survey with differernt ranking, got 74 respondants. demographics similar. gave budget of 10 points to distribute amongst choices.. added clarifying qs, other obstacles, requests for suggestions to tackle obstacles
[16:59:11] <ggm> ratings much more clear.
[16:59:52] <ggm> lack of s/w is really #1. way ahead of others. then costs too high, then pki clue lack, too much focus on tecjh, not enough need and poor interop are the top 5
[17:00:33] <ggm> apps.
[17:00:42] <ggm> document signing was clear winner. then secure email, ecommerce, sso, secure WIFI.
[17:01:58] <ggm> need to improve on s.w. support. eg smart card support
[17:05:07] <ggm> costs problems not well differentiated. too many kinds of costs
[17:05:07] <ggm> top obstacles. senior mgt lack clue. and users. [much laughter]
[17:07:40] <ggm> b iigest problem is path validation, smarcards, unusual cert contents, cross-cert
[17:07:40] <ggm> sense standards are inadequate. need better testing, profiles
[17:07:40] <ggm> action plan.
[17:07:40] <ggm> draft in public review. plan to announce in 2004 Feb. seeking input.
[17:09:08] <ggm> develop specific app guidelines. increase interop test, branding & certification
[17:09:08] <ggm> ask app vendors what they need to do PKI support
[17:09:08] <ggm> gather educational materials
[17:09:08] <ggm> Call to action
[17:09:37] <ggm> http://www.oasis-open.org/committees/pki
[17:09:47] <ggm> pki-tc-chair@lists.oasis-open.org
[17:10:02] <ggm> seeking endorsements, participation etc
[17:11:04] <ggm> Tim there is no killer app
[17:11:22] <ggm> AD respond to immediate pain, need to be aware of security practices. want to make problems go away
[17:11:33] <ggm> Tim NIST path validation protection profiles
[17:12:38] <ggm> tech success, marketing failure.
[17:14:53] <ggm> looking for key motivators to make it work in the marketplace
[17:18:04] <ggm> [sorry. tuned out again. it must be jetlag or something]
[17:19:06] <ggm> tests are at: http://csrc.nist.gov/pki/testing/x509paths.html
[17:21:52] <tdchayes> thanks ggm for being the scribe. very helpful.
[17:22:37] <ggm> sorry I missed some bits you wanted :-( better next time.
[17:22:43] --- ggm has left
[17:36:43] --- jis has left
[17:39:40] --- tdchayes has left