Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Info relating to PKI

From: Don Murdoch <dmurdoch () ODU EDU>
Date: Wed, 15 Feb 2006 07:58:28 -0500
Greetings.

Here are some thoughts regarding PKI, based on my work in a former
campground where I assisted in developing a UETA compliant digital
signature application.

UETA …You should read about this legislation and determine how far you want
to go w/ digi-sig’s. The natural inclination is to replace a blue ink
signature, which historically has had the “force of law” (if I have that
phrase correct). For instance:
http://www.dir.state.tx.us/standards/UETA_Guideline.htm

Searching Google… Use this phrase “certificate service practice statement
filetype:pdf” and you will find the CPS of many, many firms. From a
procedural point of view, in order to have longevity w/ PKI you need a CPS.
From a keeping your hair point of view, figure out how you are going to
renew certificates annually. From a sanity perspective, decide now if you
are going to use tokens and if so what OS’s you plan to support.

Research … You should research the Higher Ed Bridge Certificate Authority,
which is based on the Fed Bridge C.A. Interesting reading.

Echoing Valdis….  The only “signature” that will stand the test of time is
one that is cycled through a token device, where the token device must have
been present at the time of signing the document AND the user needed to
enter the PIN to access the device. It is possible for malware to acquire
the PIN via keylogging, but w/o the device you cannot perform the
signature.

Companies: Check out eOriginal and Compass (in Chesapeake), amount others.
At least these two manufacture digital signature products (e-vaults). The
one from Compass did have patent(s) applied to it.

Building Root CA’s: My GCUX paper describes developing a Root CA and
hardening the UNIX platform that it would reside on. This paper was
specifically designed to address the Higher Ed Bridge CA / Fed Bridge CA
requirements.
http://www.giac.org/certified_professionals/practicals/gcux/0225.php

- djm -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don Murdoch, CISSP + 10 others
Information Systems Security Officer
Tel: 757-683-4580    Office of Computing and Communications Services
Fax: 757-683-5155    Old Dominion University - Norfolk, Virginia
This signature block is not a digital signature under UETA,. This email may
contain private or confidential University information.  If you received
this message in error, inform the sender and delete it.
Previous By Date Next
Previous By Thread Next

Current thread: