20100617 - Soft PDC Project Meeting June 17, 2010

Attendees

Phil Benchoff
Al Cooper
Mary Dunker
Frank Galligan
Karen Herrington
Greg Kroll
Ismael Alaoui

Agenda

1. Enterprise Java Beans Certificate Authority (EJBCA) native admin interface demo
2. Discuss invitations to users to participate in focus group meetings. See Draft Focus Group Invitation to techsupport
3. Discuss Establishing existing relationships
4. Discuss Concept for exception retrieval of escrowed keys
5. Background Questions 6, 12, 17, 20, 24 are pending or unanswered.

Meeting Notes

1. Enterprise Java Beans Certificate Authority (EJBCA) native admin interface demo
   1. Currently used by IMS.
   2. Features "built-in" security.
   3. Uses your eToken to login.
   4. Only does a simple approve or reject.
   5. No search function.
   6. Because of its limitations we most likely will not use the native interface and will have to customize it.
   7. To meet InCommon Silver profile the identity documents used must be recorded somewhere. There is only a non-searchable comment field available in this native interface.
   8. Internal Audit will be asked to audit our process for compliance with InCommon Silver.
      
      
   • Identity Proofing discussion
     1. We discussed whether the requirement (to meet InCommon Silver) for in-person identity proofing is worth the effort. Most users consider it a hassle to have to go to a separate building/office to get their certificate. Will making this a requirement delay the project?
     2. The identity proofing for these soft certs is very similar to that we already use for the eToken.
     3. Is a 5-year life span for a soft cert sufficient? Should it be longer so as not to inconvenience our users?
     4. For renewal if we allow someone to authenticate with an old certificate (near expiration) this will by-pass the face-to-face requirement and issue a new cert for that key pair. In the case of a stolen certificate this would allow that certificate to be renewed indefinitely without requiring in person identity proofing.
     5. Action item: Review InCommon Silver requirements at our next meeting.
        
        
2. Discuss invitations to users to participate in focus group meetings. See Draft Focus Group Invitation to techsupport
   1. Reviewed and approved.
   2. Action item: Greg will ask Susan to review this then send it to TechSupport.
3. Discuss Establishing existing relationships
   1. For students why is a home or contact address not listed?
   2. Action item: In a few weeks Karen will contact the Hokie Passport office and report back on the process they use.
4. Discuss Concept for exception retrieval of escrowed keys
   1. eProvisioning commented that this will be handled "out of band" on an individual and in-person basis.

• Need to begin a numbered list of policy decisions that need to be made by the PMA.
• Use case: What happens to the key pair and certificate when an employee changes jobs within the university?
  • The exiting employees department will likely need that employees private key to decrypt documents that belong to the department. The longer the employee was with that particular department then the more documents are likely involved.
  • No decision reached, needs further discussion.
• Will we issue some sort of "departmental" certificates? i.e., used by more than one person?
  • Phil offered a possible solution of using a server certificates with e-mail attributes as a proxy for a "departmental" certificate. This type of certificate is tied to a service not an individual. This could be an answer for the employee switching jobs scenario.