Direct Rules of the Road Meeting - 10-7

From Direct Project
Jump to: navigation, search

Agenda

  • Welcome and update on DirectTRUST.org status -- David Kibbe
  • Discussion of DNS and other areas of optionality -- Arien Malec and Umesh


Meeting Attendees

  • David Kibbe
  • Bruce Schreiber
  • Umesh Madan
  • Don Jorgenson
  • Alice Nyberg
  • Adrian Gropper
  • John Williams
  • Pete Palmer
  • John Feikma
  • Gary Christensen
  • Will Ross
  • Sri Koka
  • Dan Kazzaz
  • McLain Causey
  • Greg Chittim

Meeting Notes

  • Welcome – David Kibbe
  • Update on DirectTrust.org Status – David Kibbe
    • o Elise Dietrich (friend of Dr. Kibbe) has joined a DC law firm and will be taking on DirectTrust.org as a client
    • o Will give this group an update on plans for incorporation and organization in the next few weeks
    • o Using ICANN as a model. Had a MOU with the federal government on internet industry
    • o Likely a not-for-profit, public benefit organization
    • o Lots of interest from ONC. Have been asked by Farzad for a brief on the reasons/purpose for the group
      • § Kibbe, Paul Urig (in house counsel for SureScripts), Elise Dietrich, Brian Ahier all working on the brief
    • o There is a sense of urgency for a feasibility plan
    • o For this to be an successful/effective organization, we likely need a formal engagement with federal agencies. Potentially some worry on ONCs part that this group may work in opposition to where the ONC is heading. Don’t think this is the case, but reinforces the need for some sort of MOU or common understanding
    • o Do not have a website yet, but there is a temporary landing page.
    • o For review next week: Beta production version of Ecosystem version of Certificate Policy – Don Jorgenson
  • Issues related to DNS and other areas of optionality – Umesh Madan
    • o Some folks are skeptical of DNS’s ability to meet the needs of the community
    • o Would like to enumerate what the degrees of optionality as specified by the spec – what you must vs. may do
  1. 1. Certificate Discovery - PKI can’t work if you can’t find the other person’s certificate
  2. 2. Message Wrapping – in default SMIME, you send the message address headers in the clear. Okay/required for to: and from:, but what about PHI in the subject line? Solution to this is message wrapping.
  3. 3.
  4. 4. Provider directories/lists - lots of variability, policy issues that knocked Directories out of scope for Direct.
  • Dan Kazzaz – there is an S&I PD meeting in DC on Oct 18. Direct is off the table, as they believe issue has been solved for Direct with DNS.
  • o Round to discuss DNS Certificate Discovery
    • David Kibbe
    • Bruce Schreiber
      • Think it’s complex
      • Replacing @ with . – does this create a uniqueness issue
      • If certs are going in DNS zone file, doesn’t this get too complex? Would rather have pointer to LDAP?
        • o Umesh – this was on purpose. Up to the implementer to use one of two robust DNS servers. One of them doesn’t use zone files. Does a dynamic look up of a dynamic middle tier – i.e. a big SQL server. Very easy to set up. Open source code.
      • Don Jorgenson
        • SRV record that can point to a Directory could be useful for holding certs and otherwise. Using DNS CERT records definitely makes sense. From a technical level, can we have the tools to fall back from one to another?
          • o Umesh – a totally acceptable and good solution to address
      • Alice Nyberg - pass
      • Adrian Gropper - pass
      • John Williams - pass
      • Pete Palmer
        • Those who were in security and privacy know my opinion
        • LDAP being allowed is great
        • DNS is fine, see if it lives on, but I am skeptical if it will scale long term
          • o Umesh- skeptical that LDAP can be deployed at internet scale. DNS is scalable and super simple especially if you’re dealing with org certs
      • John Feikma
        • We’re comfortable with current approach and DNS
      • Gary Christensen
        • Whichever is best I don’t care.
        • Optionality in current spec will create cases of non-interoperability. We must not proliferate two flavors are not interoperable themselves. I’ve been a big proponent of “we’re doing DNS so let’s do DNS”. Whatever we move to will need to backward compatible – hopefully in the end we will have a big installed base.
      • Will Ross
      • Sri Koka
        • Not a competition. Both of them can be used
          • o Gary – cannot be an or—need to be an and.
          • We took care of this at the beginning at design time.
          • Needs to be vendor agnostic and open source
      • Dan Kazzaz
      • McLain Causey
  • Renewal of the Implementation Geographies call schedule – Will Ross
    • Went down to every other week.
    • WE’re going to go back to every other week, but going to alternate – 1 week current communities, other week planning for future work