Re: Implementing a Public Key Infrastructure

[Theresa M Rowe <rowe () OAKLAND EDU>]

Based on my read, this applies to banks and those covered by
the Federal Reserve system, members of the FDIC, members of
the National Credit Union Administration, and similar
institutions.  I can't see that this applies to higher ed;
did someone come to a different conclusion?
Theresa

---- Original message ----
> Date: Thu, 16 Feb 2006 12:18:08 -0500
> From: "St Clair, Jim" <Jim.StClair () GT COM>
> Subject: Re: [SECURITY] Implementing a Public Key
Infrastructure
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
> If you fall under the purview of the FFIEC, you are
affected:
> http://www.ffiec.gov/press/pr101205.htm
>
> Article in US Banker:
> http://www.us-banker.com/article.html?id=20051201JIHJ1EXA
>
>
> James A.St.Clair, CISM
> Sr. Manager
> Global Public Sector
> Grant Thornton LLP
> (703) 637-3078 (office)
> (703) 727-6332 (mobile)
> (703) 837-4455 (fax)
>
> -----Original Message-----
> From: Steve Brukbacher [mailto:sab2 () UWM EDU]
> Sent: Thursday, February 16, 2006 12:09 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: Implementing a Public Key Infrastructure
>
> Jack,
> "Starting in January 2007, the SEC has
> mandated financial institutions doing online business with
customers
> MUST have two-factor authentication in place. "
>
> Im trying to verify this.  Is there a link you can point me
to that
> states this?
>
> How are they defining "financial institutions"?
>
> --
> Steve Brukbacher
> University of Wisconsin Milwaukee
> Information Security Coordinator
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224
>
>
>
> jack suess wrote:
> > Internet2 has a number of PKI activities in place. Look
at
> > middleware.internet2.edu. Jim jokl of U.Va is heading up
the higher ed
> > PKI group (HEPKI). I2 is trying to help with some of the
issues
> related
> > to CREN closing and higher ed PKI.
> >
> > Also Educause has a program where you can get discounts
on trusted PKI
> > certs from different vendors, if you go through a 3rd
party this will
> > save $$. Steve worona <sworona () educause edu
> > <mailto:sworona () educause edu>> is the point of contact at
educause for
> this.
> > Finally, last week I was at the net@edu conference. Both
Jim and Nick
> > Davis presented at a session there on their respective
PKI role out.
> > There slides may be up under the net@edu conference.
> >
> > It was a very interesting discussion between U.VA, which
has developed
> > their own CA, and U.Wisc that went through a 3rd party,
geotrust, for
> > their implementation.
> >
> > What struck me in this discussion was the importance of
understanding
> > what you want to accomplish with PKI and making sure it
fits your
> plans.
> > On face value it appears more costly to go with a
commercial CA but if
> > you are only going to roll out certs to a small subset of
your
> > population then the costs may be quite comparable.
Wisconsin showed
> that
> > for its initial rollout of a few thousand certs it would
have cost
> more
> > to do this internally than to outsource it when you add
in the cost of
> > purchasing the CA and staffing. In addition, if key
escrow is critical
> > to your plans you should build that in and that may point
to a
> > commercial provider.
> >
> > On the other hand, UVA, VT, and MIT and others have all
have done
> their
> > own CA and found some use out of it. Again, the question
is what your
> > target application is and how broad the deployment will
be.
> > Finally, something that has not been mentioned often that
you should
> > keep in the back of your mind. Starting in January 2007,
the SEC has
> > mandated financial institutions doing online business
with customers
> > MUST have two-factor authentication in place. People are
still not
> sure
> > what that will mean in terms of specific implementation
but it is
> clear
> > you will see a surge in alternate authentication schemes
coming out
> late
> > this year by different financial institutions.
> >
> >
> > jack suess
> >
> > On Feb 14, 2006, at 11:58 AM, Ricardo Lafosse wrote:
> >
> > > I have recently invested an ample amount of time in
researching how
> to
> > > implement a Public Key Infrastructure.  I am interested
in knowing if
> > > anyone has had prior experience employing this practice
and what
> > > difficulties were encountered?
> > >
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > >
> > >
> > > Ricardo Lafosse
> > >
> > > Systems Administrator
> > >
> > > Enterprise Computing Services
> > >
> > > Florida Atlantic University
> > >
> > > rlafosse () fau edu <mailto:rlafosse () fau edu>
<mailto:l () fau edu>
> > >
>
>
> --------------------------------------------------------
>
>
> In accordance with applicable professional regulations,
please understand that, unless expressly stated otherwise,
any written advice contained in, forwarded with, or attached
to this e-mail is not intended or written by Grant Thornton
LLP to be used, and cannot be used, by any person for the
purpose of avoiding any penalties that may be imposed under
the Internal Revenue Code.
> --------------------------------------------------------
>
> This e-mail is intended solely for the person or entity to
which it is addressed and may contain confidential and/or
privileged information.  Any review, dissemination, copying,
printing or other use of this e-mail by persons or entities
other than the addressee is prohibited.  If you have
received this e-mail in error, please contact the sender
immediately and delete the material from any computer.
Theresa Rowe
Assistant Vice President
University Technology Services
www.oakland.edu/uts - the latest news from University Technology Services