Re: Implementing a Public Key Infrastructure

["St Clair, Jim" <Jim.StClair () GT COM>]

If you fall under the purview of the FFIEC, you are affected:
http://www.ffiec.gov/press/pr101205.htm

Article in US Banker:
http://www.us-banker.com/article.html?id=20051201JIHJ1EXA


James A.St.Clair, CISM
Sr. Manager
Global Public Sector
Grant Thornton LLP
(703) 637-3078 (office)
(703) 727-6332 (mobile)
(703) 837-4455 (fax)

-----Original Message-----
From: Steve Brukbacher [mailto:sab2 () UWM EDU] 
Sent: Thursday, February 16, 2006 12:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Implementing a Public Key Infrastructure

Jack,
"Starting in January 2007, the SEC has
mandated financial institutions doing online business with customers
MUST have two-factor authentication in place. "

Im trying to verify this.  Is there a link you can point me to that 
states this?

How are they defining "financial institutions"?

-- 
Steve Brukbacher
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



jack suess wrote:
> Internet2 has a number of PKI activities in place. Look at 
> middleware.internet2.edu. Jim jokl of U.Va is heading up the higher ed

> PKI group (HEPKI). I2 is trying to help with some of the issues
related 
> to CREN closing and higher ed PKI.
>
> Also Educause has a program where you can get discounts on trusted PKI

> certs from different vendors, if you go through a 3rd party this will 
> save $$. Steve worona <sworona () educause edu 
> <mailto:sworona () educause edu>> is the point of contact at educause for
this.
> Finally, last week I was at the net@edu conference. Both Jim and Nick 
> Davis presented at a session there on their respective PKI role out. 
> There slides may be up under the net@edu conference. 
>
> It was a very interesting discussion between U.VA, which has developed

> their own CA, and U.Wisc that went through a 3rd party, geotrust, for 
> their implementation. 
>
> What struck me in this discussion was the importance of understanding 
> what you want to accomplish with PKI and making sure it fits your
plans. 
> On face value it appears more costly to go with a commercial CA but if

> you are only going to roll out certs to a small subset of your 
> population then the costs may be quite comparable. Wisconsin showed
that 
> for its initial rollout of a few thousand certs it would have cost
more 
> to do this internally than to outsource it when you add in the cost of

> purchasing the CA and staffing. In addition, if key escrow is critical

> to your plans you should build that in and that may point to a 
> commercial provider.
>
> On the other hand, UVA, VT, and MIT and others have all have done
their 
> own CA and found some use out of it. Again, the question is what your 
> target application is and how broad the deployment will be.
>
> Finally, something that has not been mentioned often that you should 
> keep in the back of your mind. Starting in January 2007, the SEC has 
> mandated financial institutions doing online business with customers 
> MUST have two-factor authentication in place. People are still not
sure 
> what that will mean in terms of specific implementation but it is
clear 
> you will see a surge in alternate authentication schemes coming out
late 
> this year by different financial institutions.
>
>
> jack suess
>
> On Feb 14, 2006, at 11:58 AM, Ricardo Lafosse wrote:
>
> > I have recently invested an ample amount of time in researching how
to 
> > implement a Public Key Infrastructure.  I am interested in knowing if

> > anyone has had prior experience employing this practice and what 
> > difficulties were encountered?
> >
> >  
> >
> > Thanks
> >
> >  
> >
> >  
> >
> > Ricardo Lafosse
> >
> > Systems Administrator
> >
> > Enterprise Computing Services
> >
> > Florida Atlantic University
> >
> > rlafosse () fau edu <mailto:rlafosse () fau edu> <mailto:l () fau edu>
> >
> >  
 

--------------------------------------------------------


In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code. 

--------------------------------------------------------

 This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information.  Any review, dissemination, copying, printing or other use of this e-mail by persons or 
entities other than the addressee is prohibited.  If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.