Re: Implementing a Public Key Infrastructure

[Steve Worona <sworona () EDUCAUSE EDU>]

There are low-tech (and, hence, low-cost) examples of two-factor authentication. See, for example, "Grid Cards" at 
<http://www.entrust.com/strong-authentication/mutual-authentication/methods.htm>. This is apparently a proprietary 
trademark and technology of Entrust, but I believe similar systems exist. Also see references to "scratch cards" at 
<http://www.informationweek.com/showArticle.jhtml?articleID=172303289> and elsewhere.
Steve
-----
At 9:28 AM -0800 2/16/06, Barbara Chung (DURTSCHI) wrote:
> We often think of two-factor as being something-that-you-know and
> something-that-you-have, assuming that what you have is on a hardware
> token.  I suspect that the banks will be looking at deploying some kind
> of cryptographic device (they won't tell anyone of course) on the user's
> machine. Bank of America is using something they call SiteKey:
> http://www.bankofamerica.com/privacy/sitekey/
>
> I don't know if it's a cert (I suspect not), or just some kind of
> interesting signed cryptographic token. There are so many ways this
> could be done.
>
> Barbara Chung, CISSP, CISM
> Security Advisor, Education
> 917-592-0185
>
> -----Original Message-----
> From: Steve Brukbacher [mailto:sab2 () UWM EDU]
> Sent: Thursday, February 16, 2006 12:09 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Implementing a Public Key Infrastructure
>
> Jack,
> "Starting in January 2007, the SEC has
> mandated financial institutions doing online business with customers
> MUST have two-factor authentication in place. "
>
> Im trying to verify this.  Is there a link you can point me to that
> states this?
>
> How are they defining "financial institutions"?
>
> --
> Steve Brukbacher
> University of Wisconsin Milwaukee
> Information Security Coordinator
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224
>
>
>
> jack suess wrote:
> > Internet2 has a number of PKI activities in place. Look at
> > middleware.internet2.edu. Jim jokl of U.Va is heading up the higher ed
>
> > PKI group (HEPKI). I2 is trying to help with some of the issues
> related
> > to CREN closing and higher ed PKI.
> >
> > Also Educause has a program where you can get discounts on trusted PKI
>
> > certs from different vendors, if you go through a 3rd party this will
> > save $$. Steve worona <sworona () educause edu
> > <mailto:sworona () educause edu>> is the point of contact at educause for
> this.
> > Finally, last week I was at the net@edu conference. Both Jim and Nick
> > Davis presented at a session there on their respective PKI role out.
> > There slides may be up under the net@edu conference.
> >
> > It was a very interesting discussion between U.VA, which has developed
>
> > their own CA, and U.Wisc that went through a 3rd party, geotrust, for
> > their implementation.
> >
> > What struck me in this discussion was the importance of understanding
> > what you want to accomplish with PKI and making sure it fits your
> plans.
> > On face value it appears more costly to go with a commercial CA but if
>
> > you are only going to roll out certs to a small subset of your
> > population then the costs may be quite comparable. Wisconsin showed
> that
> > for its initial rollout of a few thousand certs it would have cost
> more
> > to do this internally than to outsource it when you add in the cost of
>
> > purchasing the CA and staffing. In addition, if key escrow is critical
>
> > to your plans you should build that in and that may point to a
> > commercial provider.
> >
> > On the other hand, UVA, VT, and MIT and others have all have done
> their
> > own CA and found some use out of it. Again, the question is what your
> > target application is and how broad the deployment will be.
> >
> > Finally, something that has not been mentioned often that you should
> > keep in the back of your mind. Starting in January 2007, the SEC has
> > mandated financial institutions doing online business with customers
> > MUST have two-factor authentication in place. People are still not
> sure
> > what that will mean in terms of specific implementation but it is
> clear
> > you will see a surge in alternate authentication schemes coming out
> late
> > this year by different financial institutions.
> >
> >
> > jack suess
> >
> > On Feb 14, 2006, at 11:58 AM, Ricardo Lafosse wrote:
> >
> > > I have recently invested an ample amount of time in researching how
> to
> > > implement a Public Key Infrastructure.  I am interested in knowing if
>
> > > anyone has had prior experience employing this practice and what
> > > difficulties were encountered?
> > >
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > >
> > >
> > > Ricardo Lafosse
> > >
> > > Systems Administrator
> > >
> > > Enterprise Computing Services
> > >
> > > Florida Atlantic University
> > >
> > > rlafosse () fau edu <mailto:rlafosse () fau edu> <mailto:l () fau edu>