         Single Sign-on Network Authentication Working Group
         ---------------------------------------------------

Our charge:

1.  Define a campus-wide User ID space by merging existing ones
2.  Define mechanisms for maintaining the User ID space
3.  Develop (copy) policies for Kerberos-like authentication servers
4.  Test, pilot, and begin deployment of Authentication Servers

7/8/94

2:05 - 2:20     Introductions
                - Background of team members
                - Previous experiences with user authentication

2:20 - 2:45     Discussion
                - DCE and dce discussion from chairs group
                - Scope: Unix or more?
                - What User ID assignment methods and authentication
                  systems are being used today?  (Or have been tried?)
                - How would we expect to employ the system we develop?
                - How do the User IDs in this system relate to other
                  systems such as mail address or Penn ID?

2:45 - 2:55     Define our next steps

2:55 - 3:00     Administrative
                - We are dce-authen-wg@isc.upenn.edu
                - Meeting summaries
                - Decide on regular meeting date, duration


dce-authen-wg@isc.upenn.edu:

alex@dccs arzt@dccs awhite@sas batista@pobox johnsonj@pobox lila@staff.udc
litwack@dccs millar@pobox morrison@seas powell@pobox riegera@wharton
rosenblatt@umis seidita@pobox shuque@sas


Meeting Summary
---------------

Attending: Alex Garthwaite, Noam Arzt, Emily Batista, Lila Shapiro,
Chris Hiester, Mark Litwack, Dave Millar, Norm Morrison, Ellen
Rosenblatt, Shumon Huque

(* = action item.  Please send omissions/corrections in summary to
litwack@dccs.)

  Introductions were made and all members are on-board with the
group's goal of single sign-on and enhanced network security.

  SEAS has a central database, based on Hesiod, of all user accounts
that existed over the past five years, which totals approximately
10,000 userids.  They do not reuse userids when assigning accounts for
incoming students.  Students receive their account by swiping their
PennID through a card reader at the engineering school.  Students are
given a choice of about 20 different userids that they could have
within the engineering school.  They must choose one.  Name changes
after assignment have proved to be very difficult.

  SAS has 6,000 users on-line and will soon have 10,000.  When
assigning accounts, they use the PAS system to authenticate the user.
Once authenticated, the user is assigned the first non-duplicate name
on mail.sas, generated by a series of name transformation/combination
algorithms.  The user has the option of rejecting the chosen name, in
which case they must negotiate with SAS system administrators for a
name.

  Wharton was not at the meeting, but it was known that their
algorithm is to use the first 6 letters of the person's last name and
the last 2 digits of their ID number.

  UMIS is considering using the first 8 characters of the person's
last name, but nothing has been decided or implemented yet.

* Mark will talk to Carl and find out about UMIS' willingness to
become a part of the new userid scheme.

  It was agreed that our goal is to implement an OSF Kerberos
authentication system, but we should be aware of interactions with
other systems and not go heads down on doing OSF only.  It was also
made known that this group would be responsible for other base level
services needed for Kerberos, such as time services, possibly parts of
the directory service, and other as yet undetermined necessities.

  It was felt that our immediate focus should be training on
Kerberos, but also that we could continue discussions on developing a
common user name space in parallel after we gain some basic knowledge.

* Mark will arrange to have a course or talk on Kerberos given to the
group.

* Mark will arrange to have Wharton talk to the group about their
experiences.

* Mark will track down and send to the group information on the GES
security seminar in Princeton on July 12 and 13, although it appears
to be mostly focused on physical network security.

* Norm will contact MIT to find out about their user name assignment
strategies.

* Ellen will contact Iowa State to find out about their user name
assignment strategies.

* Mark will contact the Small Schools and Radiology to find out what
assignment methods they use.

  It was agreed that we would set up a regular meeting schedule,
starting next week, on Tuesdays from 1:00pm-2:00pm.  For those people
not at the meeting, please confirm that you can make it.  Our
alternate time is 2:00pm-3:00pm on Tuesdays if this time slot is no
good.  We will meet in the UDC conference room, 3401 Walnut, Rm 335B
(thank you, Lila).

* Mark will get Chris Hiester added to mailing list reflector.