Re: Seeking RFP text for server and messaging cert mgmt services

[Jere Retzer <retzerj () OHSU EDU>]

Good points, but why would you want a user to trust ABA, Autoridad,
Baltimore, Belgicom (he asks just reading down the list of root CAs that
comes with IE) more than Notre Dame? The idea that we should ask our
users to trust some company no one has heard of more than their
university seems a bit upside down, doesn't it? And how good are the
controls over what gets into the browser anyway?

> > > dobbins () ND EDU 6/15/2004 6:05:32 PM >>>
As we work to raise user awareness of security, one of the guidelines
commonly given is to not accept certs that the browser doesn't already
trust.  That's a coarse-grained advice, for sure, but training them to
at least be suspicious is a starting point.  So, conveying how and
when to differentiate between root-signed and "self-signed" certs is a
challenge for non-technical users - they want one rule for every case.

That, and sometimes it's not clear to all end-users how to import a
new root into, say, Thunderbird mail.  So, they either get angry, or
we dilute the "don't accept questionable certs" training.

Maybe someday, when the PK mechanism is better understood by the
end-user populace....


Jere Retzer wrote:

> True, but is not appearing in the Microsoft-distributed list a
barrier?
> Most folks are pretty casual about accepting certificates. If you
can't
> trust ND, then who can you trust (except in football, of course)?
>
>
> > > > dobbins () ND EDU 6/15/2004 11:01:03 AM >>>
>
> Certainly attractive, especially for internal e-mail signing, but
last
> I'd heard the EduCause CA does not yet appear in the trusted root
> store of commodity browsers. (?)
>
> Many of our SSL users will not be ND affiliates, so we'd be
reluctant
> (or unable) to insert the root CA into their cert store.
>
>
> Jere Retzer wrote:
>
>
> > Does anyone roll their own root certificate as suggested in the
>
> Educause
>
> > best practices guide? This sounds like it might be the way to go.
>
> See
>
> >
http://www.educause.edu/security/guide/EncryptionandAuthentication.asp

> > > > > mike.wiseman () UTORONTO CA 6/15/2004 7:36:50 AM >>>
> >
> > Our cert needs started out similarly - SSL certs for administrative
> > websites. The central
> > IT group purchased Verisign certs up front and were provided with
>
> web
>
> > management
> > capability to verify the requestor and handle internal chargeback. I
> > believe the cost of
> > the certs discouraged most academic departments from offering https
>
> and
>
> > so growth in their
> > use was low. This past year after some investigation we moved to
>
> Comodo
>
> > mainly because the
> > server cert prices are much lower and now there is more interest in
> > implementing https.
> > The reasons for the big price difference seem to be nebulous - my
>
> guess
>
> > is they have to do
> > with maturity in the CA business as well as the chained cert
> > technology.
> >
> > Mike
> >
> > Mike Wiseman
> > Manager - Computer Security Administration
> > Computing and Networking Services
> > University of Toronto
> >
> > ----- Original Message -----
> > From: "Bill Frazier" <frazier () IASTATE EDU>
> > To: <SECURITY () LISTSERV EDUCAUSE EDU>
> > Sent: Tuesday, June 15, 2004 8:58 AM
> > Subject: Re: [SECURITY] Seeking RFP text for server and messaging
>
> cert
>
> > mgmt services
> >
> >
> >
> >
> > > When we got into the use of certs (mostly SSL, a very few
> > > code-signing), I had trouble finding a cost effective vendor.
> > > This was several years ago.  The actual number of certs needed
> > > was unknown as people all over campus were just beginning to
> > > realize that these things were useful.  At any rate, we
> > > settled on the SPKI (Starter PKI) package from Thawte (since
> > > purchased by Verisign but still operating as Thawte).  As it
> > > stands now, I purchase what amount to cert tokens in advance.
> > > Each of these can be used to purchase a particular kind of
> > > cert.  AIT has the contract and we act as the aproving agent
> > > (Security Officer).  Cert are issued to requestors (Technical
> > > Officers).  The whole thing is web based and we control who
> > > are on the list of tech officers.
> > >
> > > Bill
> > >
> > > __________________________________________________________________
> > > On Mon, 14 Jun 2004 09:57:06 CDT, Gary Dobbins wrote:
> > >
> > > Has anyone constructed an RFP they can share related to external
> >
> > cert
> >
> >
> > > mgmt services like the examples below?  (a couple of Verisign's and
> > > Geotrust's offerings)
> > >
> > >
> > > Managed PKI for SSL
> > > http://www.verisign.com/products/onsite/ssl/index.html
> > >
> > > Enterprise SSL
> > > http://www.geotrust.com/enterprise_security/enterprisessl.htm
> > >
> > >
> > > True Credentials Express
> > > http://www.geotrust.com/enterprise_security/truecredexp.htm
> > >
> > > Managed PKI for Trusted Messaging
> > > http://www.verisign.com/products/trustedMessaging/index.html
> > >
> > > --
> > >
> > >  ------------------------------------------------------------
> > >  Gary Dobbins, CISSP -- Director, Information Security
> > >  University of Notre Dame, Office of Information Technologies
> > >
> > > **********
> > > Participation and subscription information for this EDUCAUSE
> >
> > Discussion
> >
> >
> > > Group d
> > > iscussion list can be found at http://www.educause.edu/cg/.
> > >
> > >
> > >
> > >
> > > __________________________________________________________________
> > > Bill Frazier                                 frazier () iastate edu
> > > Assistant Director/Software Support          voice: (515) 294-8620
> > > Iowa State University                        fax:   (515) 294-1717
> > > Academic Information Technologies, 291 Durham, Ames, Iowa 50011
> > >
> > > **********
> > > Participation and subscription information for this EDUCAUSE
> >
> > Discussion Group discussion
> > list can be found at http://www.educause.edu/cg/.
> >
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
>
> Discussion
>
> > Group discussion list can be found at http://www.educause.edu/cg/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE
>
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.
>
> --
>
>    ------------------------------------------------------------
>    Gary Dobbins, CISSP -- Director, Information Security
>    University of Notre Dame, Office of Information Technologies
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

--

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- dobbins () nd edu
   Director, Information Security
   University of Notre Dame, Office of Information Technologies
   Voice: 574.631.5554
   ------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.