Members Meeting December, 2000 Sydney. Sydney Meeting u 73 Attendees u Day 1 Plenary provided valuable input for the working groups u 5 working groups.

Members MeetingDecember, 2000

Sydney

Sydney Meeting

73 Attendees Day 1 Plenary provided valuable input for

the working groups 5 working groups progressed existing work

items and introduced new work items First deliverables of both TWG and BWG

received final review

Technical Working Technical Working GroupGroup

Working Group Introduction Session

Introductions Objectives and Ground Rules Project and White Paper Objectives Status at end of September Meeting

Participants December September

Vendor 13 45% 20 43%

ISV/Exploiter 12 41% 16 38%

Customer 4 9% 10 24%

29 46

CMP Interoperability Project

Robert Moskowitz Goals

– Establish the baseline of mandatory CMP functions• Done!

– Establish the optional, but important CMP functions• Done!

– Expose any deficiencies of difficulties with the specification and provide needed feedback to the IETF on recommended changes to the specification• Progress!

– Provide the foundation for future product testing so that customers will be able to buy PKI products with confidence• Light at the end of the tunnel!

CA-CA Interoperation

Steve Lloyd Goal – Identify problem areas Sources – Government specifications Several options of CA-CA relationships

have varying applicability Schedule – Final Draft 22 December 2000 APEC meeting in March How to do profiling (Davis lead, 4 others)

Token Interoperability

John Hughes (Andrew Nash Reporting) White Papers

– Scope of White Paper• Token interoperability inhibits• Environments• PKCS 11, 15 vs. IETF• Need a “Token Best Practices”

– Chapters• Business Requirements, API’s, Token Formats, Mobile Users,

Recommendations• Chapter owners

– Slow progress, draft by March meeting

UK Government Interoperability Trial

Richard Lampert 15 participants (many more than expected) “Island department PKIs” with domain Common repository (X500 from Novel) Number of vendors implies detail planning Internet trial followed by face to face test Open day for Government Customers in April

2001 Test report in April 2001

Interoperability White Paper Review

Steve Lloyd and Lisa Pretty Concepts from Tim Polk presentation in

March 2000 Definition of terms for interoperability Final comments by Dec 11 Board approval Dec 13 Possible publish in “international

magazine”

Application Certificate Use Project

David Crowe Results Datasheets completed by testers Certificate library

– Review process will be required Datasheets

– Product Descriptions, functionality, configuration notes Test Scripts

– SSL, S/MIME e-mail, Cert Path construction and validation

Application Cert Use Status

Cert library Considerations– Unicert 12.7 cert– CRL Dist Points (by agreement)– Do need PKCS 12– Need CRLs that don’t expire and CRL’s you

would get from CDP Participation and lack of progress

Steve Orlowski

Steve is from APEC eSecurity Task Group Certs under multiple jurisdictions

– Singapore, Japan, Korea– Govt schemes Australia, USA

Key is accreditation Criteria similar, but hard to line up APEC/EU common criteria

– Certificate to support international trade– Fitness for purpose based

OCSP Testing Proposal

Alistair Grant Based on questions from customers Testing Categories

– ASN.1, CertID interpretation, sig conformance, extensions, return code, scenarios Test Groups

– Responder/resp, client/resp, CA/resp Likely hot spots

– Req sig, resp sig, IssuerKey Hash Next steps

– Define set of tasks– Produce project plan/deliverables

Points– 1– 2– German paper

Rob Moskowitz or Carlin Kovey

Path Construction White Paper

Mark Davis High interest in paper Theoretical issues under control

– Graph theory algorithms Operational and implementation problems issue

– Repository/schema problems– Resource problems– Deployment problems– More help from protocols and business process

WP contribution is guidance on operational matters Do we have experience and resources

Community of Interest Discussion

Stephen Wilson Policy OIDs of CA’s and resolution of

multiple CA Audit certificate carries OID Many topics to continue discussion on he

list Stephen Wilson will circulate his paper

LDAP White Paper

Dave Finkelstein (Andrew Nash Presenting) David writing straw man paper to get motion Draft circulated by end of December Patrick Fantou report on LDAP Survey

– Reduce Circulate– Detail questions – too large to complete– Missing areas – application use, name mapping, how

searches are done, path constructions– Coordinate with other surveys– Direction: survey, then WP, or survey and WP in ||

Technical Interoperability

Robert Moscowitz Issues on CA’s, Lifecycle, repositories,

Certificate validation Why have infrastructure, then how does it Bob will submit draft for consideration

Marketing/Education Marketing/Education Working GroupWorking Group

Mission Statement

The Education Work Group’s mission is to create informational pieces that help promote the understanding and value of PKI from both a business and technical perspective.

PKI Tutorial and White Paper Companion

2 Separate presentations– Business target audience

• PPT

• PDF

– Technical target audience• PPT

• PDF

Rollout Timeline

3 Review target dates– Dec 22, 2000 submission to ED WG for final

comments– Jan 15, 2001 submission to BWG and TSG for

comments– Jan 31, 2001 submission to Board for approval

Feb 14, 2001 final version posted to web site

New Project : Security in E-Business

Biz confidence is based on trust. Biz wants to move/is moving more

processes to the electronic world Same trust is required in the physical and

electronic world PKI helps mitigate business risk in the

electronic world

E-Business White Paper:

Security in E-Business White Paper Authors: Mike Jeffries, Dan Morrison, Bill

Franklin 1st Draft for ED WG review: Dec 22, 2000

Policy & Privacy Policy & Privacy Working GroupWorking Group

Policy and Privacy Working Group Summary

11 participants over two days Reviewed Montreal meeting project proposals Reviewed submitted Work Items Moved one item to final draft, one item to final

WG review Created mission statement, objectives,work plan

approval process, future meeting schedule Had great commitment from the team

Policy and Privacy Working Group Summary

Mission Statement: – “To provide information and guidance on the

policy and privacy needs and issues related to the development, implementation, and usage of PKI.”

Policy and Privacy Working Group Summary

Objectives:• Develop documents defining high-level

environments, principles, policies, and practices which support government, business, and consumer use of PKI to perform electronic processes

• Develop documents defining the implementation of privacy policies using PKI

• Develop projects that promote understanding and provide guidance for the implementation of policies across jurisdictions using PKI

Policy and Privacy Working Group Summary

Major Current Work Items– PKI Policy Principles

• agreed to final draft

• will send for BWG/TWG final review

– PKI Policy Note• agreed to revised language

• will include one additional business example

• Expect WG review within 2-3 weeks and final draf t in January

– E-Sign Analysis• Established working committee to address re-write

Other Work Items – future meetings-calls

Best PracticesBest PracticesWorking GroupWorking Group

Best PracticesSummary

Wed December 6th: New Members (Japan & India) Definition

– guideline based on material that is – pertinent– actionable– enforceable– auditable

Need common glossary, maybe RFC2828

Best PracticesSummary

Actions/dates assigned for BP chapters:– Value proposition – Risk Management – Planning for successful PKI deployment – Key management– Audit - 3rd party attestation– Legal FAQ and pointers– Registration procedures– TimeStamping/proofing– Accreditation and independent validation

Info to come from APac, NA, and EU

Best PracticesSummary

Best practices evolve with time (mechanism to keep current)

Conclusion– Monthly conference calls are needed to

progress this work– Chair will distribute draft Best Practices paper

by 14 February 2001 Thurs December 7th - n/a

Best PracticesGeneral Comments

Need to avoid duplication of effort - WG Chairs need to communicate and WG members should have a synopsis of activities and boundaries of each group

Board should be providing members with – schedule of PKIForum-level deliverables across

all WGs– copy of PKIForum Business Plan that describes

linkages between all working (and sub-working) groups

ApplicationsApplicationsWorking GroupWorking Group

Applications Summary

Revised Mission Statement– To provide a forum that encourages sharing

business experience, and to produce deliverables that highlight the driving PKI applications within Financial Services, Healthcare, Government, and other influential vertical markets.

Process reviewed with Board Healthcare Note – final-final comments to

Ray by next week

Applications Summary

Open solicitation for Project Leads– Financial Services Note and Government Note

Open solicitation for contributors to case studies

Timeline: submissions by mid-late January to leave enough review time before March meeting

Next Steps

Complete evaluation forms! Don’t wait until next meeting to progress work items Keep PKI Forum objectives in mind and identify

actions to advance Member surveys will be sent out through mailing list

in early January Next Meeting March 13-15 in California

– Bay area venue to be set and announced early January – Agenda to be published the end of January

Website overhaul and improved information availability