Security & Trust Meeting 2011-01-06

From Direct Project
Jump to navigation Jump to search
Jan. 6, 2011 - Security & Trust WG Call
Thursday, January 06, 2011
2:00 PM EST

Umesh - leading
Umesh - can someone update meeting from Dec? [no]
Items to work on:
Threat model for XD -- Completed, hasn't gone through a workgroup vote yet, but it has gone through RI group review and should be pushed forward for vote. Comments?

John - Deployment models document got a lot of comments that the deployment models were not complete enough for XDR interaction. Threat assessment may not be complete since that's only against deployment model. Haven't yet addressed comments. Hold for further review.

Umesh - John, will threat model be substantially different for different deployments? Is there incremental work that can be done?

John - Hasn't read comments well enough to know if they are radical changes. If there is just a little option this way or that way… it depends. Doesn't have a solid answer at this point. Intend to review comments early next week. Discuss next meeting.

Umesh - Report and recommendation from John at next meeting. Other item: Certificate Pilot recommendations proposal that was out for consensus from Implementation workgroup. Arien and John got this pushed out in mid-December. Should changes require fresh call for consensus or can dissenting parties review and alter their votes?

John - Everyone needs to look at current output, not just comments. Guidance to current Impl. Deployment, not necessarily a formal statement from the Direct Project. There is policy in there, but it's policy in scope.

Umesh - Certainly requires a re-read. Does it require a re-vote?
Spirit remains the same, just a misuse of terminology ("private certificate," etc.)

[no objections]

Umesh - No revote. If you haven't voted already, do so by next week's meeting (Jan. 13)
FYI: Connect-a-thon tomorrow where reference code will be tested. Production deployments going out in the next few weeks. Live messages exchanged in the next few weeks.

During connect-a-thons, are those tests during against RI of email clients, etc.?

Umesh - Not in this particular connect-a-thon. Just making sure various stacks talk to each other correctly, another connect-a-thon a few weeks later. Tested personally .NET stack against Outlook and it worked a month ago. Test case needs to be done over the next couple of weeks.

Mike Davis - Is connect-a-thon at HIMSS?

Umesh - Yes, but this is a virtual one. RI page has link to Jan. virtual connect-a-thon. 5 different implementations, some using .NET, some using Java stacks. Conference call to coordinate. This is all within Direct project.

John will check back with how things are going with Threat model at next week's meeting or sooner.

Welcome back!