Re: Implementing a Public Key Infrastructure

["Barbara Chung (DURTSCHI)" <bchung () MICROSOFT COM>]

Nothing wrong with low-tech when it gives you the level of assurance
that you're looking for.  Particularly if it gives you a manageable
process.  One of the most common misconceptions around is that high-tech
gives you high-assurance. Certs are the perfect example--the technology
is a no-brainer, but the management of them to a high level of assurance
can be very challenging and expensive.

Some European banks have been using scratch-cards for a really long
time. I think the American end-user is a different beast though--not
sure I would try this particular method here.

I know this isn't a banking forum, but the banks have been dying to use
certificate technology for years, and the problem they have with end
users has some similarity to education's issues with students:  how do
you provide high-quality secure services to users on untrusted machines?

It may be possible to borrow the hard lessons they've learned so that
you don't have to live through them yourself.

Barbara Chung, CISSP, CISM
Security Advisor, Education
917-592-0185


-----Original Message-----
From: Steve Worona [mailto:sworona () EDUCAUSE EDU] 
Sent: Thursday, February 16, 2006 1:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Implementing a Public Key Infrastructure

There are low-tech (and, hence, low-cost) examples of two-factor
authentication. See, for example, "Grid Cards" at
<http://www.entrust.com/strong-authentication/mutual-authentication/meth
ods.htm>. This is apparently a proprietary trademark and technology of
Entrust, but I believe similar systems exist. Also see references to
"scratch cards" at
<http://www.informationweek.com/showArticle.jhtml?articleID=172303289>
and elsewhere.
Steve
-----
At 9:28 AM -0800 2/16/06, Barbara Chung (DURTSCHI) wrote:
> We often think of two-factor as being something-that-you-know and 
> something-that-you-have, assuming that what you have is on a hardware 
> token.  I suspect that the banks will be looking at deploying some kind

> of cryptographic device (they won't tell anyone of course) on the 
> user's machine. Bank of America is using something they call SiteKey:
> http://www.bankofamerica.com/privacy/sitekey/
>
> I don't know if it's a cert (I suspect not), or just some kind of 
> interesting signed cryptographic token. There are so many ways this 
> could be done.
>
> Barbara Chung, CISSP, CISM
> Security Advisor, Education
> 917-592-0185
>
> -----Original Message-----
> From: Steve Brukbacher [mailto:sab2 () UWM EDU]
> Sent: Thursday, February 16, 2006 12:09 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Implementing a Public Key Infrastructure
>
> Jack,
> "Starting in January 2007, the SEC has
> mandated financial institutions doing online business with customers 
> MUST have two-factor authentication in place. "
>
> Im trying to verify this.  Is there a link you can point me to that 
> states this?
>
> How are they defining "financial institutions"?
>
> --
> Steve Brukbacher
> University of Wisconsin Milwaukee
> Information Security Coordinator
> UWM Computer Security Web Site
> www.security.uwm.edu
> Phone: 414.229.2224
>
>
>
> jack suess wrote:
> > Internet2 has a number of PKI activities in place. Look at 
> > middleware.internet2.edu. Jim jokl of U.Va is heading up the higher 
> > ed
>
> > PKI group (HEPKI). I2 is trying to help with some of the issues
> related
> > to CREN closing and higher ed PKI.
> >
> > Also Educause has a program where you can get discounts on trusted 
> > PKI
>
> > certs from different vendors, if you go through a 3rd party this will

> > save $$. Steve worona <sworona () educause edu 
> > <mailto:sworona () educause edu>> is the point of contact at educause 
> > for
> this.
> > Finally, last week I was at the net@edu conference. Both Jim and Nick

> > Davis presented at a session there on their respective PKI role out.
> > There slides may be up under the net@edu conference.
> >
> > It was a very interesting discussion between U.VA, which has 
> > developed
>
> > their own CA, and U.Wisc that went through a 3rd party, geotrust, for

> > their implementation.
> >
> > What struck me in this discussion was the importance of understanding

> > what you want to accomplish with PKI and making sure it fits your
> plans.
> > On face value it appears more costly to go with a commercial CA but 
> > if
>
> > you are only going to roll out certs to a small subset of your 
> > population then the costs may be quite comparable. Wisconsin showed
> that
> > for its initial rollout of a few thousand certs it would have cost
> more
> > to do this internally than to outsource it when you add in the cost 
> > of
>
> > purchasing the CA and staffing. In addition, if key escrow is 
> > critical
>
> > to your plans you should build that in and that may point to a 
> > commercial provider.
> >
> > On the other hand, UVA, VT, and MIT and others have all have done
> their
> > own CA and found some use out of it. Again, the question is what your

> > target application is and how broad the deployment will be.
> >
> > Finally, something that has not been mentioned often that you should 
> > keep in the back of your mind. Starting in January 2007, the SEC has 
> > mandated financial institutions doing online business with customers 
> > MUST have two-factor authentication in place. People are still not
> sure
> > what that will mean in terms of specific implementation but it is
> clear
> > you will see a surge in alternate authentication schemes coming out
> late
> > this year by different financial institutions.
> >
> >
> > jack suess
> >
> > On Feb 14, 2006, at 11:58 AM, Ricardo Lafosse wrote:
> >
> > > I have recently invested an ample amount of time in researching how
> to
> > > implement a Public Key Infrastructure.  I am interested in knowing 
> > > if
>
> > > anyone has had prior experience employing this practice and what 
> > > difficulties were encountered?
> > >
> > >
> > >
> > > Thanks
> > >
> > >
> > >
> > >
> > >
> > > Ricardo Lafosse
> > >
> > > Systems Administrator
> > >
> > > Enterprise Computing Services
> > >
> > > Florida Atlantic University
> > >
> > > rlafosse () fau edu <mailto:rlafosse () fau edu> <mailto:l () fau edu>