Re: Implementing a Public Key Infrastructure

[Steve Brukbacher <sab2 () UWM EDU>]

Jack,
"Starting in January 2007, the SEC has
mandated financial institutions doing online business with customers
MUST have two-factor authentication in place. "

Im trying to verify this.  Is there a link you can point me to that
states this?

How are they defining "financial institutions"?

--
Steve Brukbacher
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



jack suess wrote:
> Internet2 has a number of PKI activities in place. Look at
> middleware.internet2.edu. Jim jokl of U.Va is heading up the higher ed
> PKI group (HEPKI). I2 is trying to help with some of the issues related
> to CREN closing and higher ed PKI.
>
> Also Educause has a program where you can get discounts on trusted PKI
> certs from different vendors, if you go through a 3rd party this will
> save $$. Steve worona <sworona () educause edu
> <mailto:sworona () educause edu>> is the point of contact at educause for this.
>
> Finally, last week I was at the net@edu conference. Both Jim and Nick
> Davis presented at a session there on their respective PKI role out.
> There slides may be up under the net@edu conference.
>
> It was a very interesting discussion between U.VA, which has developed
> their own CA, and U.Wisc that went through a 3rd party, geotrust, for
> their implementation.
>
> What struck me in this discussion was the importance of understanding
> what you want to accomplish with PKI and making sure it fits your plans.
>
> On face value it appears more costly to go with a commercial CA but if
> you are only going to roll out certs to a small subset of your
> population then the costs may be quite comparable. Wisconsin showed that
> for its initial rollout of a few thousand certs it would have cost more
> to do this internally than to outsource it when you add in the cost of
> purchasing the CA and staffing. In addition, if key escrow is critical
> to your plans you should build that in and that may point to a
> commercial provider.
>
> On the other hand, UVA, VT, and MIT and others have all have done their
> own CA and found some use out of it. Again, the question is what your
> target application is and how broad the deployment will be.
>
> Finally, something that has not been mentioned often that you should
> keep in the back of your mind. Starting in January 2007, the SEC has
> mandated financial institutions doing online business with customers
> MUST have two-factor authentication in place. People are still not sure
> what that will mean in terms of specific implementation but it is clear
> you will see a surge in alternate authentication schemes coming out late
> this year by different financial institutions.
>
>
> jack suess
>
> On Feb 14, 2006, at 11:58 AM, Ricardo Lafosse wrote:
>
> > I have recently invested an ample amount of time in researching how to
> > implement a Public Key Infrastructure.  I am interested in knowing if
> > anyone has had prior experience employing this practice and what
> > difficulties were encountered?
> >
> >
> >
> > Thanks
> >
> >
> >
> >
> >
> > Ricardo Lafosse
> >
> > Systems Administrator
> >
> > Enterprise Computing Services
> >
> > Florida Atlantic University
> >
> > rlafosse () fau edu <mailto:rlafosse () fau edu> <mailto:l () fau edu>