Educause Security Discussion mailing list archives
Re: Seeking RFP text for server and messaging cert mgmt services
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 16 Jun 2004 05:53:02 -0500
It's not so much that those entities are necessarily more trustworthy than ND, it's that anyone can author a cert that claims to be 'ND'. Only the ones which also participate in the established chain of trust will avoid the browser's "are you sure this is who they claim to be?" question. That's a question many end users aren't (yet) prepared to answer with any certainty. If it were commonplace for end users to traceback a cert's path, and also that they all knew that CREN/Educause was a legitimate root authority, and how to verify same, then we'd be ok. The built-in root list does that for them already, and to leverage it we have to pay one of them to sign a cert for us. Otherwise, users have nothing to base trust on other than to accept the cert's own claim for its legitimacy. ABA, Autoridad, etc have gone to the trouble of paying MS and others the "tax" (a bit more than I can scrape together) that lets them preload their CA into browsers distributed to mass-audiences, specifically so users can have a moderate level of confidence that an unchallenged cert is likely to be what it says it is (if they doubleclick the lock icon on their browser, and it says eBay, and they're surfing eBay, then it's probabably eBay, as long as the browser doesn't ask them that question above). I must admit, I'm not a CA/PKI expert by ANY means, and so may have the above entirely wrong, or be overlooking some aspect (see, not a PKI expert). Addressing the challenge of users who want to be more secure -- but who also need the security mechanisms and environment to be as accessible as possible -- is something PKI (as a class) doesn't yet seem to have solved. Until then, we pay for certs.... Jere Retzer wrote:
Good points, but why would you want a user to trust ABA, Autoridad, Baltimore, Belgicom (he asks just reading down the list of root CAs that comes with IE) more than Notre Dame? The idea that we should ask our users to trust some company no one has heard of more than their university seems a bit upside down, doesn't it? And how good are the controls over what gets into the browser anyway?dobbins () ND EDU 6/15/2004 6:05:32 PM >>>As we work to raise user awareness of security, one of the guidelines commonly given is to not accept certs that the browser doesn't already trust. That's a coarse-grained advice, for sure, but training them to at least be suspicious is a starting point. So, conveying how and when to differentiate between root-signed and "self-signed" certs is a challenge for non-technical users - they want one rule for every case. That, and sometimes it's not clear to all end-users how to import a new root into, say, Thunderbird mail. So, they either get angry, or we dilute the "don't accept questionable certs" training. Maybe someday, when the PK mechanism is better understood by the end-user populace.... Jere Retzer wrote:True, but is not appearing in the Microsoft-distributed list abarrier?Most folks are pretty casual about accepting certificates. If youcan'ttrust ND, then who can you trust (except in football, of course)?dobbins () ND EDU 6/15/2004 11:01:03 AM >>>Certainly attractive, especially for internal e-mail signing, butlastI'd heard the EduCause CA does not yet appear in the trusted root store of commodity browsers. (?) Many of our SSL users will not be ND affiliates, so we'd bereluctant(or unable) to insert the root CA into their cert store. Jere Retzer wrote:Does anyone roll their own root certificate as suggested in theEducausebest practices guide? This sounds like it might be the way to go.Seehttp://www.educause.edu/security/guide/EncryptionandAuthentication.aspmike.wiseman () UTORONTO CA 6/15/2004 7:36:50 AM >>>Our cert needs started out similarly - SSL certs for administrative websites. The central IT group purchased Verisign certs up front and were provided withwebmanagement capability to verify the requestor and handle internal chargeback. I believe the cost of the certs discouraged most academic departments from offering httpsandso growth in their use was low. This past year after some investigation we moved toComodomainly because the server cert prices are much lower and now there is more interest in implementing https. The reasons for the big price difference seem to be nebulous - myguessis they have to do with maturity in the CA business as well as the chained cert technology. Mike Mike Wiseman Manager - Computer Security Administration Computing and Networking Services University of Toronto ----- Original Message ----- From: "Bill Frazier" <frazier () IASTATE EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, June 15, 2004 8:58 AM Subject: Re: [SECURITY] Seeking RFP text for server and messagingcertmgmt servicesWhen we got into the use of certs (mostly SSL, a very few code-signing), I had trouble finding a cost effective vendor. This was several years ago. The actual number of certs needed was unknown as people all over campus were just beginning to realize that these things were useful. At any rate, we settled on the SPKI (Starter PKI) package from Thawte (since purchased by Verisign but still operating as Thawte). As it stands now, I purchase what amount to cert tokens in advance. Each of these can be used to purchase a particular kind of cert. AIT has the contract and we act as the aproving agent (Security Officer). Cert are issued to requestors (Technical Officers). The whole thing is web based and we control who are on the list of tech officers. Bill __________________________________________________________________ On Mon, 14 Jun 2004 09:57:06 CDT, Gary Dobbins wrote: Has anyone constructed an RFP they can share related to externalcertmgmt services like the examples below? (a couple of Verisign's and Geotrust's offerings) Managed PKI for SSL http://www.verisign.com/products/onsite/ssl/index.html Enterprise SSL http://www.geotrust.com/enterprise_security/enterprisessl.htm True Credentials Express http://www.geotrust.com/enterprise_security/truecredexp.htm Managed PKI for Trusted Messaging http://www.verisign.com/products/trustedMessaging/index.html -- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSEDiscussionGroup d iscussion list can be found at http://www.educause.edu/cg/. __________________________________________________________________ Bill Frazier frazier () iastate edu Assistant Director/Software Support voice: (515) 294-8620 Iowa State University fax: (515) 294-1717 Academic Information Technologies, 291 Durham, Ames, Iowa 50011 ********** Participation and subscription information for this EDUCAUSEDiscussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSEDiscussionGroup discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSEDiscussion Group discussion list can be found at http://www.educause.edu/cg/. -- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSEDiscussionGroup discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSEDiscussion Group discussion list can be found at http://www.educause.edu/cg/. -- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Seeking RFP text for server and messaging cert mgmt services, (continued)
- Re: Seeking RFP text for server and messaging cert mgmt services Mike Wiseman (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Jere Retzer (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Larry Jennings (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Mike Wiseman (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Gary Dobbins (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Jere Retzer (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Larry Jennings (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Antivirus Administrator (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Gary Dobbins (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Jere Retzer (Jun 15)
- Re: Seeking RFP text for server and messaging cert mgmt services Gary Dobbins (Jun 16)