minutes and revised charter

[Stephen Kent <kent@bbn.com>]

I want to thank those who provided feedback for both the meeting minutes
and the WG charter.  Both have been revised in accordance with these
comments.

I am happy to report that Jeff Schiller has approved the new WG charter.  I
will see about having it posted to the IETF web site.  I also will be
submitting the minutes to the IETF secretariat.  Several speakers have
kindly provided me with their slides, and I will accept other slide sets
for a week, before sending them off to the secretariat as well.

Below are the final meeting minutes, and the revised charter. (The charter
still is awaiting a few RFC numbers to be assigned.)

Thanks,

Steve
--------------------------
PKIX WG Meeting 3/17/99
Edited by Steve Kent (WG co-chair)

The PKIX WG met only once during the 44rd IETF and a approximately 200
individuals participated in these meetings.

The meeting began with a review of the status of all of the WG document,
presented by Warwick Ford, WG co-chair. The following text summarizes the
status of the documents:

PKIX COMPLETED DOCUMENTS

PKIX Cert/CRL Profile (RFC 2459)
		Approved as Proposed Standard
KEA Algorithms for Profile (RFC 2528)
		Approved as Informational RFC
HTTP/FTP Operations (draft-ietf-pkix-opp-ftp-http-04.txt)
		Approved as Proposed Standard
LDAP V2 Operational Protocols (draft-ietf-pkix-ipki2opp-08.txt)
		Approved as Proposed Standard
LDAP V2 Schema (draft-ietf-pkix-ldapv2-schema-01.txt)
		Approved as Proposed Standard
OCSP (draft-ietf-pkix-ocsp-05.txt)
		Approved as Proposed Standard
CMP (RFC 2510)
		Approved as Proposed Standard
CRMF (RFC 2511)
		Approved as Proposed Standard
Certificate Policy/Practices Guideline (RFC 2527)
		Approved as Informational RFC

PKIX WORK IN PROGRESS

ECDSA Algorithms for Profile (draft-ietf-pkix-ipki-ecdsa-01.txt)
		New draft to be issued for WG last call shortly
CMC (draft-ietf-pkix-cmc-02.txt)
		Under WG review
Diffie-Hellman POP (draft-ietf-pkix-dhpop-00.txt)
		Under WG review
Qualified Certificates (draft-ietf-santesson-qc-01.txt)
		Under WG review
CMMF (draft-ietf-pkix-cmmf-02.txt)
		This item to be dropped from the program
Time Stamp (draft-ietf-pkix-time-stamp-00.txt)
		Under WG review
DCS (draft-ietf-pkix-dcs-00.txt)
		Under WG review
Web-Based Integrated CA Services Protocol (draft-sakurai-pkix-icap-01.txt)
	Submitted for WG consideration

Reports on Established Projects:

A new WG charter was presented, in draft form, which shortly will be posted to
the mailing list.  The expanded charter encompasses attribute certificates,
time stamping and notarization services, and qualified certificates.


CMC and Diffie-Hellman POP (J. Schaad-Microsoft)
The CMC draft did not meet submission deadline, but was made available to the
list.  The D-H POP draft is undergoing revision.  CMC has been revised to
accommodate comments from Carlisle from the last meeting. Additional changes
are planned, including removal of the key archival and recovery features, and
clarification of RA operations.

PKIX Roadmap (A. Arsenault-NSA)
Missed submission deadline.  Undergoing revision to deal with terminology
inconsistencies, POP, adding a history of PKIX, new work items (e.g.,
qualified certificates and time stamping), explanation of name constraints for
alt name forms, path validation, etc.

Qualified Certificates (S. Santesson)
Goals of qualified certificates were reviewed. The fundamental thrust of this
work is the development of a new SubjectAltName type, for "unmistakable
identity" ID information. Attribute semantics represents the top-level
structure for the SubjectaltName, making it clear what form of ID is being
provided, e.g., national ID card or driver license. Also, this extension will
contain a registration authority field, as required by German law.  A pointer
to a web site for additional info was provided (http://www.accurata.se/QC/).
Suggestion was made to consider splitting this work into two document: one for
the new name form, and another (informational?) to explain the context for
which this new name form was devised. However, to the extent that a qualified
certificate imposes  constraints on other certificate fields, it is not clear

Data Certification and Time Stamping (R. Zuccherato-Entrust)
Data certification server I-D not recently updated, but will be soon, to
respond to comments, e.g., ASN.1 corrections and more explanatory text.  The
time stamping document also has not been updated recently, but will undergo
minor revisions, e.g., to allow for issuance of a time stamp without
submission of a hash.  Unfortunately, the topics of time stamping and data
certification are rife with intellectual property claims, which may interfere
with progression of these documents.  Specifically, a lawsuit has been filed
by patent holders against a company that has implemented a prior version of
this protocol. The WG chairs will work with the authors of the documents to
help resolve these issues.


Other Topics:

Progressing RFC 2459 to Draft Status (T. Polk-NIST)
Collecting inputs for (mostly) minor corrections and clarifications to this
document in anticipation of progressing this work.

OCSP Clarification (S. Kent-BBN)
Two sections of OCSP will be revised to clarify what is required of compliant
clients and servers with respect to what keys can be used to sign OCSP
responses. Specifically, an OCSP response must be signed by either the CA who
issued the certificate in question, by an entity who has been explicitly
delegated this authority by that CA (through direct issuance and inclusion of
a specified EKU extension), or by an entity who has been selected as
authoritative by the client. Compliant OCSP servers and clients MUST be able
to support all three of these options.(Satisfying the third option is largely
trivial for the server, but requires a configuration capability for clients.)

Will End-Entity Certificates be Fat or Low Fat? (D. Pinkas-Bull)
Proposal to minimize the addition of extensions to EE certificates, by moving
as much of this sort of information to CA certificates, from EE certificates.
Examples of such extension data are pointers to OCSP responders and CRL
servers, where applicable to all certificates issued by a CA.

Attribute Certificates	(S. Farrell-SSE)
A kickoff announcement of this new work item. Providing pointers to work on
attribute certificates for use with TLS, as an example.

OCSP Interoperability Testing	(A. Malparni-ValiCert)
Reported on tests of seven independent implementations.  All made use of HTTP
and direct, DER encoding (not base 64).  Discovered some problems, e.g., in
hash computation.

Server-based Certificate Validation (A. Malparni-ValiCert)
A suggestion to explore "outsourcing" certificate validation to a server, from
a client. Proposal is to develop a protocol between a client and the
validation server, which might be attractive when the client is not
computationally capable, or to help by centralizing administration of
certificate validation management. There are security concerns here, because
of the centralization of security function in servers.

MISPC Reference Implementation (T. Polk-NIST)
CDROM contains CA, RA, and client executable code. Represents a profile of
2459, CMP, and CRMF.  Available via web site: http://crscnist.gov/pki/mispc/

----------------------

Internet standards needed to support an X.509-based PKI. Several
informational and standards track documents in support of the original
goals of the WG have been approved by the IESG. The first of these
standards, RFC 2459, profiles the X.509 version 3 certificates and version
2 CRLs for use in the Internet.  The Certificate Management Protocol (CMP)
(RFC 2510), the Online Certificate Status Protocol (OCSP) (RFC 2xxx), and
the Certificate Management Request Format (CRMF) (RFC 2511)  have been
approved, as have profiles for the use of LDAP v2 for certificate and CRL
storage (RFC 2xxx) and the use of FTP and HTTP for transport of PKI
operations (RFC 2xxx).  RFC 2527, an informational RFC on guidelines for
certificate policies and practices also has been published, and the IESG
has approved publication of an information RFC on use of KEA (RFC 2528) and
ECDSA (RFC 2xxx).  Work continues on a second certificate management
protocol, CMC, closely aligned with the PKCS publications and with the
cryptographic message syntax (CMS) developed for S/MIME.  A roadmap,
providing a guide to the growing set of PKIX document, is also being
developed as an informational RFC.

The working group is now embarking on additional standards work to develop
protocols that are either integral to PKI management, or that are otherwise
closely related to PKI use. Work is ongoing on alternative certificate
revocation methods. There also is work defining conventions for certificate
name forms and extension usage for "qualified certificates," certificates
designed for use in (legally binding) non-repudiation contexts. Finally,
work is underway on protocols for time stamping and data certification.
These protocol are designed to support non-repudiation, making use of
certificates and CRLs, and are so tightly bound to PKI use that they
warrant coverage under this working group.

Additional work will be initiated on a profile for X.509 attribute
certificates, resulting in a new RFC and, perhaps,  in extensions to
existing certificate management standards to accommodate differences
between attribute certificates and public-key certificates.

New Goals and Milestones:

 July 99
            Update RFC 2459, in anticipation of progression from PROPOSED
to DRAFT
Complete approval of CMC, qualified certificates, and time-stamp documents
Initiate work on attribute certificate profile.

 Dec 99
	Update March/April RFCs, for progress from PROPOSED to DRAFT
	Complete approval of data notarization document
Publish I-D for attribute certificate profile

March 00
	Complete work on attribute certificate profile

July 00
	Continue RFC updating process, Š