If an individual has a University Directory (UDir NetID), it will be hashed and used in the certificate.

If an individual does not have the UDIR NetID, a unique identifier will be assigned by the campus to the person, hashed and used in the certificate.

The hashed unique identifier will be referred to as a CertID.

A system needs to be agreed upon for assigning campus level NetIDs such that the hashed version of the two sets do not collide.

Sal reported on the following options that have been considered:

SmartCards, tokens, short term certificates, floppy disks with certificates and terminal certificates associated with login session. MelWeb will issue terminal certificates associated with an authorization mechanism.

Sal will write a section for the report that summarizes his investigation.

Sal Gurnani (UCOP) will provided an overview of the technical, policy and procedure issues for certificate revocation lists.

Netscape has a proprietary CRL mechanism which works with LDAP. OCSP is in development.

Entrust provides a proprietary CRL option but it is very expensive.

GTE provides a turnkey, enterprise certificate server. GTE provides a toolkit for working with small CRLs. Recommends ValiCert for large CRLs.

ValiCert, client/server toolkit for managing large CRLs in a proprietary tree structure stored in a single location.

In the short term, we will use the CRL software that comes with the server. Sal will continue to investigate the best option for using a CRL management tool.

Tom Arons provided a written overview of the issues related to digital signatures and key escrow systems. The workgroup feels that the standards are incomplete and the technology is immature. A recommendation for a Universitywide direction and system of management can not be made at this time. The workgroup recommends that the state of digital signatures and key escrow systems be reassessed one year from now.

Sal Gurnani reported that the UDIR is available for testing updates from the database.

Use secure LDAP to retrieve authorization data from the directory.

Joan Gargano submitted a written definition. The group recommended:

The workgroup agreed with the following:

According to X.509, a certificate policy is, "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements." A certificate policy may be used by a certificate user to help in deciding whether a certificate, and the binding therein, is sufficiently trustworthy for a particular application. A more detailed description of the practices followed by a Certificate Authority (CA) in issuing and otherwise managing certificates may be contained in a certification practice statement (CPS) published by or referenced by the CA. According to the American Bar Association Digital Signature Guidelines (ABA Guidelines), "a CPS is a statement of the practices which a certification authority employs in issuing certificates."

Convene a workgroup composed of members of the University Joint Operations Group and the Authentication Workgroup to create a Certification Practice Statement for the University certificate system. This work is a combination of technical specifications and policy statements and should build upon the following documents.

S. Chokhani, W. Ford, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework," draft-ietf-pkix-ipki-part4-03.txt, April 25, 1998, http://search.ietf.org/internet-drafts/draft-ietf-pkix-ipki-part4-03.txt.

VeriSign Certification Practice Statement, VeriSign, Inc., Mountainview, CA, https://www.verisign.com/repository/CPS/.

"UMS Public Key Certification Practices Statement (CPS)," University of Colorado, March 18, 1998, http://www.cusys.edu/~security/pki/cps3.html.

The workgroup agreed upon the following statement and recommendation.

Until the end of 1996, a US Government administrative regulation, "The International Traffic in Arms Regulations" (ITAR) restricted exports of strong encryption software and hardware. Every cryptographic product with a key length exceeding 40 bit, for symmetric ciphers, and 512-bit, for public key exchange, is classified as "munitions" and prohibited from export. New export control regulations are in effect as of January 1, 1997 but is unclear if the change in rules has any implications for the users of cryptographic software.

The constitutionality of ITAR has recently been challenged in court. The Electronic Frontier Foundation (EFF) is sponsoring a lawsuit by Professor Daniel Bernstein to determine whether the Professor has the right to teach about cryptography, and collaborate with his peers around the world. A major point is whether he can publish source code that foreigners might be able to access, or speak it directly to individual who might be foreign. The case rests on established First Amendment law and relies on the fact that computer source code is human-to-human communication protected by the First Amendment (in addition to anything else it might be useful for.) In this case, U.S. District Court Judge Marilyn Patel (Northern District of California) issued a landmark ruling that computer source code is a form of speech protected under the First Amendment to the U.S. Constitution. She held that the current export controls violated the free speech rights of Daniel Bernstein, an academic cryptographer, who sought to distribute his work. The case is now on appeal to the 9th Circuit Court of Appeals, and a ruling is expected shortly. However, the ruling applies only to source code, not to the executables

On March 4, 1998 the Electronic Frontier Foundation (EFF) issued a joint statement with the American Civil Liberties Union (ACLU) and the Electronic Privacy Information Center (EPIC) at the Washington, DC, event launching the formation of a new industry-led alliance, Americans for Computer Privacy (ACP) which has been created to advocate against restrictions on the use of encryption.

In the meantime, several US-based companies offer scaled down, exportable versions of their cryptographic products to customers outside of the US. These 40-bit ciphers do not provide adequate security for most medium to high security applications.

The Authentication workgroup is not the appropriate group to interpret export restrictions on encryption software which is used with Public Key Infrastructure and certificates. The workgroup does not feel 40-bit ciphers are adequate for security in the University environment and will move forward with plans to create a PKI using certificates requiring the use of strong encryption technology which is restricted in use by export law.

Some University affiliates, especially foreign students and faculty, may be inconvenienced by export restriction laws which govern the use of the strong encryption technology.

Policies and procedures must be developed to guide the use of certificates for students, faculty and staff who travel outside of the United States. These policies must be referenced in the Certification Practice Statement. A Universitywide policy committee, with participation by legal counsel must address these issues.