Soft Personal Digital Certificates project meeting

Monday, October 10, 2011; 10:00 a.m.; AISB-208

Invited

Ismael Alaoui, Marc DeBonis, Mary Dunker, Daniel Fisher, Frank Galligan, Dave Hawes, Karen Herrington, Greg Kroll, Ken McCrery, Kevin Rooney

Agenda

1. 9/29: Jira request (ED-765) Web service API for certificate updates on the registry
   • An operation to update the user's certificate attribute, this should also accept an empty certificate parameter which would effectively remove the existing cert.
   • An operation to update the suppression flag of the user's certificate attribute
   • Any issues remaining to implement the web service?
   • Time Table for availability on Dev System?
   • SoftPDC Web App->Registry->ED->AD
     
2. Users will have the ability to enable/disable visibility of SoftPDC in ED when using People Search
   • Using the SoftPDC web interface - registry update ?
   • Using MyVT Profile Visibility ?
     
3. Connection info for DEV ED-ID
   • Host Name: id-dev.directory.vt.edu ?
   • Port: 636 ?
   • Base DN: ou=People,dc=vt,dc=edu ?
     
4. Connection info for DEV AD
   • Host Name: ????.w2k-dev.vt.edu
   • Port: 636 ?
     
5. Active Directory
   • 35 AD users with certificates reported by Marc
   • Most certificates were issued by Thawte FreeMail CA
   • Mostly issued to IT personnel – probably test groups
   • All certificates have expired except for 3 individuals
   • Currently AD allows multiple certs for individual
   • Doesn’t appear that publishing SoftPDCs to AD would cause any major conflicts
     
6. Questions
   • How are certificates currently published to GAL?
     • Outlook 2010->File-Options->Trust Center->Trust Center Settings->eMail Security->Publish to GAL
   • Can the number of certificates published be controlled?
   • Can AD be configured to restrict publication by issuing CA?
   • What are the options for controlling visibility?
   • Options for browsing AD?
     • Outlook address book integration – certs viewable only when added to Contacts
     • Other options?
       
7. Soft PDC Prototype Demo
   
8. Next Meeting TBA

Attended

Ismael Alaoui, Marc DeBonis, Mary Dunker, Daniel Fisher, Frank Galligan, Karen Herrington, Kim Homer, Greg Kroll, Ken McCrery, Kevin Rooney

Meeting Notes

1. 9/29: Jira request (ED-765) Web service API for certificate updates on the registry
   1. SoftPDC web service estimated availability is December 2011
   2. Active Directory (AD) does not have any sort of suppression function
   3. Preferred Email address
      1. Default is pid@vt.edu but that can be changed by the user
      2. There is the issue of keeping student information confidential especially if they are suppressing that information
      3. There are no students in AD unless they are sponsored
      4. If a student is "wage" (not student wage) the student record comes across in ED
      5. We need a policy person to interpret any FERPA issues
      6. One option (for AD) may be that students give up their right to suppression if they are in AD (sponsored)?
      7. We need to educate users on what exactly a preferred email address is. Especially the case where they change their preferred email address which will necessitate getting a new certificate
      8. May be some usability issues with encryption if a person has multiple certificates since ED will only store the most current certificate (just one).
      9. Need to test this use case: Someone wants to send encrypted email to a user for whom they do not have their cert, so cert is retrieved from ED but it does not match the email address you are sending to because that user has multiple certs.
2. Questions
   1. We want AD to match what is/can be done in ED
   2. Since ED will only store one cert (most current) we want to be able to prohibit users from uploading multiple certs in AD (which can currently be done).
   3. How is all this affected if we switch to Office 365?
   4. AD does not handle single attribute deletion
   5. Need to test suppression and deletion of certs in AD using the replication process
   6. Options for browsing certs in AD?
      1. Can be done with Thunderbird (which can connect to GAL)
      2. May be able to use LDAP
3. User education issue: Users will not know they cannot use the soft cert everywhere unless they put it on a portable device like a USB drive. The soft cert will not fit on the eToken because the soft cert uses a 2K key and the eToken can only handle 1K keys.