Editor`s Note: Minutes received 7/17 CURRENT_MEETING_REPORT_ Reported by Steve Kent/BBN Minutes of the Privacy-Enhanced Mail Working Group (PEM) The PEM Working Group met once during the Boston IETF meeting. Various topics relative to the documents which will supersede RFCs 1113-1115 were discussed and resolved. The consensus of the attendees was that, when the changes discussed in this meeting have been executed, the resulting Internet Drafts will be ready for submission as Proposed Standard RFCs. The authors of RFCs 1113 and 1114 were present at the meeting and agreed to make the requisite changes by the end of July. The expectation is that the changes to RFC 1115 are very minor and also can be effected by the end of July. No modifications to the FORMS Internet Draft were identified, so that document also should be ready by the end of July. The identified changes to be made to the documents are described below: o Any certificate emitted by a PEM implementation, shall use the object identifier for RSA (see Annex G of X.509) to identify an RSA public key carried in the SubjectPublicKeyInfo field. However, PEM implementation shall accept both this object identifier and the ``RSAEncryption'' object identifier (from PKCS), in this field in ``received'' certificates, e.g., certificates in incoming PEM messages. o The term ``Internet Certificate Authority'' will be changed to ``Internet Policy Registration Authority'' throughout RFC 1114bis. o A new field, ``Content-Domain'' will be added to the PEM header. This field will be used to specify the type of content which has been protected by PEM and thus what ``UA'' should be invoked after PEM processing has been effected upon a received message. This provides a facility for future carriage of data type other than simple, RFC 822 mail, e.g., MIME, X.400, etc. This field must appear exactly once in the message, immediately after Proc-Type. The initial parameter value permitted for this field is ``RFC-822'' and will be so specified in RFC 1115bis. The Working Group agreed to make integration of PEM with MIME the next major work item to be addressed on the PEM-DEV list and in future IETF meetings. It was agreed that this is a non-trivial task which will require careful study. There is a very strong desire from a variety of Internet community members to proceed with deployment of PEM for use with ``vanilla'' RFC 822 mail, hence this decision to make PEM-MIME integration a new work item rather than delaying progress of the current set of Internet Drafts. In recognition of this approach to accommodating MIME, RFC 1113bis will be revised to make explicit that it is a specification of core PEM functions plus use of PEM with RFC 822 1 mail, and that subsequent RFCs will address use of the core PEM functions with other mail systems, e.g., MIME, X.400, etc. There was a discussion of issues related to deployment of PEM, summarized below: o The PEM specification documents should all be ready for advancement by the end of July. o TIS should be able to quickly accommodate the very minor change to the PEM header decided upon at this meeting, so availability of the reference implementation should not be substantially affected by the decisions at this meeting. o TIS and RSADSI have executed the license agreement necessary for Internet distribution of PEM. o The Internet Society is making preparation to instantiate its role as an Internet Policy Registration Authority. MIT has developed software that impelments the CRL service defined in FORMS and which needs to be operated by the IPRA. Steve Kent has provided a strawman algorithmic description of processing for the DN conflict resolution database, another database which the IPRA will operate. o TIS and RSADSI have approached the IPRA about establishing PCAs, and RSADSI has recently distributed, via PEM-DEV, a candidate policy statement for a PERSONNA PCA. It was suggested that an FYI on how prospective PEM users ``get started'' would be a useful document, once PEM deployment has progressed. This would augment the PCA policy statements which will be published as informational RFCs. It also was suggested that a PEM implementors' BOF might be scheduled for the next IETF, based on expectations for PEM deployment progress during the next 6 months. Attendees Harald Alvestrand Harald.Alvestrand@delab.sintef.no Ashar Aziz ashar.aziz@eng.sun.com Mark Baushke mdb@cisco.com Uri Blumenthal uri@watson.ibm.com Mark Bokhan bokhan@abitok.enet.dec.com Luc Boulianne lucb@cs.mcgill.ca James Conklin jbc@bitnic.educom.edu Stephen Crocker crocker@tis.com Michael DeAddio deaddio@thumper.bellcore.com Peter DiCamillo Peter\verb+_+DiCamillo@brown.edu Tom Farinelli tcf@tyco.ncsc.mil Barbara Fraser byf@cert.org Shari Galitzer shari@shari.mitre.org 2 ^L Gary Gaudet gaudet@zk3.dec.com Neil Haller nmh@thumper.bellcore.com Stephen Kent kent@bbn.com Peter Kirstein kirstein@cs.ucl.ac.uk John Linn linn@erlang.enet.dec.com Kent Malave kent@chang.austin.ibm.com Ellen McDermott emcd@osf.org Clifford Neuman bcn@isi.edu Marshall Rose mrose@dbc.mtview.ca.us Paul Sangster sangster@ans.net Jeffrey Schiller jis@mit.edu Richard Schmalgemeier rgs@merit.edu Einar Stefferud stefisoc@nma.com= Theodore Ts'o tytso@mit.edu Huyen Vu vi@polaris.disa.mil Sandro Wallach sandro@elf.com David Wang wang@xylogics.com Charles Watt watt@sware.com Peter Williams p.williams@uk.ac.ucl.cs 3