PKI and S/MIME BoF

Advanced Camp
Birds of Feather Lunch July 9th, 2003
PKI and S/MIME Discussion

Campus updates:
Barry Ribbeck of the University of Texas-Health Science Center (UT-HSCH) described the level of signed e-mail they've been able to implement. They've got most users trained to the point that they will ignore unsigned e-mail. All official communications are signed. All sensitive account information is encrypted. They are working to get the human resources divisions on board.

He is having an issue with exporting certificates from Mozilla and Netscape. The digital authentication for the VPN requires a certificate. If the certificate has been downloaded through Mozilla or Netscape and then exported to a token it doesn't seem to work.

At the University of California � Office of the President current projects will continue till they expire but due to the University of California fiscal situation everything else has been put on a hold until further notice system wide. David Wasley will continue the Higher Education Bridge Cross Certification work till the contract expires.

Overcoming the hype on barriers to implementing PKI and S/MIME: Institutions keep focusing on potential problems caused by lack of perfect PKI. Equally difficult systems have been deployed in the past, without the same level of worry over every little detail. More typically the approach was �start somewhere and usability will improve in time." UT-HSCH put their system in production over the last five years. It's not 100% perfect but it works pretty well. Why is getting S/MIME clients out to users in such an issue general? Why don't all operating systems build certificates into them? The goal is the ability to plug a USB dongle into any network device and have it recognized and work.

A critical aspect is to approach this from the user point of view. It must be easy and usable by a newbie.

Barry shared that implementing things inside the system has been easy; it's going outside the system that's hard because there's uniformity, and the ability to dictate uniformity, in what's implemented inside the system.

Issues:
� Certificate discovery and validation
� Level of trust
� INA processes
� Process consistency
� Process auditing

If these could be mapped out at the bridge level then inter-institutional trust could be established.

The federal government wants registrar's to put student information into the system. Can they use a campus issued cert to show the registrar is authorized to do this? How will identity verification and other issues be handled?
Issues:
� Standard vocabulary needed
� Bidirectional authentication
� Identity proofing and semantics
� Standards will be needed

There is a subject info access field that is not generally used and it could be a way to get further information on a subject.