Educause Security Discussion mailing list archives
Re: Implementing a Public Key Infrastructure
From: Steve Worona <sworona () EDUCAUSE EDU>
Date: Thu, 16 Feb 2006 13:09:02 -0500
There are low-tech (and, hence, low-cost) examples of two-factor authentication. See, for example, "Grid Cards" at <http://www.entrust.com/strong-authentication/mutual-authentication/methods.htm>. This is apparently a proprietary trademark and technology of Entrust, but I believe similar systems exist. Also see references to "scratch cards" at <http://www.informationweek.com/showArticle.jhtml?articleID=172303289> and elsewhere. Steve ----- At 9:28 AM -0800 2/16/06, Barbara Chung (DURTSCHI) wrote:
We often think of two-factor as being something-that-you-know and something-that-you-have, assuming that what you have is on a hardware token. I suspect that the banks will be looking at deploying some kind of cryptographic device (they won't tell anyone of course) on the user's machine. Bank of America is using something they call SiteKey: http://www.bankofamerica.com/privacy/sitekey/ I don't know if it's a cert (I suspect not), or just some kind of interesting signed cryptographic token. There are so many ways this could be done. Barbara Chung, CISSP, CISM Security Advisor, Education 917-592-0185 -----Original Message----- From: Steve Brukbacher [mailto:sab2 () UWM EDU] Sent: Thursday, February 16, 2006 12:09 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Implementing a Public Key Infrastructure Jack, "Starting in January 2007, the SEC has mandated financial institutions doing online business with customers MUST have two-factor authentication in place. " Im trying to verify this. Is there a link you can point me to that states this? How are they defining "financial institutions"? -- Steve Brukbacher University of Wisconsin Milwaukee Information Security Coordinator UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224 jack suess wrote:Internet2 has a number of PKI activities in place. Look at middleware.internet2.edu. Jim jokl of U.Va is heading up the higher edPKI group (HEPKI). I2 is trying to help with some of the issuesrelatedto CREN closing and higher ed PKI. Also Educause has a program where you can get discounts on trusted PKIcerts from different vendors, if you go through a 3rd party this will save $$. Steve worona <sworona () educause edu <mailto:sworona () educause edu>> is the point of contact at educause forthis.Finally, last week I was at the net@edu conference. Both Jim and Nick Davis presented at a session there on their respective PKI role out. There slides may be up under the net@edu conference. It was a very interesting discussion between U.VA, which has developedtheir own CA, and U.Wisc that went through a 3rd party, geotrust, for their implementation. What struck me in this discussion was the importance of understanding what you want to accomplish with PKI and making sure it fits yourplans.On face value it appears more costly to go with a commercial CA but ifyou are only going to roll out certs to a small subset of your population then the costs may be quite comparable. Wisconsin showedthatfor its initial rollout of a few thousand certs it would have costmoreto do this internally than to outsource it when you add in the cost ofpurchasing the CA and staffing. In addition, if key escrow is criticalto your plans you should build that in and that may point to a commercial provider. On the other hand, UVA, VT, and MIT and others have all have donetheirown CA and found some use out of it. Again, the question is what your target application is and how broad the deployment will be. Finally, something that has not been mentioned often that you should keep in the back of your mind. Starting in January 2007, the SEC has mandated financial institutions doing online business with customers MUST have two-factor authentication in place. People are still notsurewhat that will mean in terms of specific implementation but it isclearyou will see a surge in alternate authentication schemes coming outlatethis year by different financial institutions. jack suess On Feb 14, 2006, at 11:58 AM, Ricardo Lafosse wrote:I have recently invested an ample amount of time in researching howtoimplement a Public Key Infrastructure. I am interested in knowing ifanyone has had prior experience employing this practice and what difficulties were encountered? Thanks Ricardo Lafosse Systems Administrator Enterprise Computing Services Florida Atlantic University rlafosse () fau edu <mailto:rlafosse () fau edu> <mailto:l () fau edu>
Current thread:
- Implementing a Public Key Infrastructure Ricardo Lafosse (Feb 14)
- <Possible follow-ups>
- Re: Implementing a Public Key Infrastructure Steve Devoti (Feb 14)
- Re: Implementing a Public Key Infrastructure Valdis Kletnieks (Feb 14)
- Re: Implementing a Public Key Infrastructure jack suess (Feb 15)
- Re: Implementing a Public Key Infrastructure Dick Jacobson (Feb 15)
- Re: Implementing a Public Key Infrastructure Waller, Michael A. (HSC) (Feb 15)
- Re: Implementing a Public Key Infrastructure Steve Brukbacher (Feb 16)
- Re: Implementing a Public Key Infrastructure St Clair, Jim (Feb 16)
- Re: Implementing a Public Key Infrastructure Barbara Chung (DURTSCHI) (Feb 16)
- Re: Implementing a Public Key Infrastructure Pullman, Nick (Feb 16)
- Re: Implementing a Public Key Infrastructure Steve Worona (Feb 16)
- Re: Implementing a Public Key Infrastructure Theresa M Rowe (Feb 16)
- Re: Implementing a Public Key Infrastructure Barbara Chung (DURTSCHI) (Feb 16)
- Re: Implementing a Public Key Infrastructure Joe St Sauver (Feb 16)
- Re: Implementing a Public Key Infrastructure Cary, Kim (Feb 20)
- Re: Implementing a Public Key Infrastructure Valdis Kletnieks (Feb 20)
- Re: Implementing a Public Key Infrastructure Eric Brewer (Feb 20)