Re: Implementing a Public Key Infrastructure

["Waller, Michael A. (HSC)" <Michael-Waller () OUHSC EDU>]

I think the common interpretation is that if you're collecting financial
information that you're obligated to protect that information. We base
our policies on a wide range of legislation including HIPAA, FERPA and
GLBA. I think it's good practice to treat protected information as
protected information, regardless of your core 'business'. Universities
aren't banks, but there's still an obligation to protect information
used as part of a financial transaction.

Mike Waller   CISSP
Information Technology, Information Security Services
The University of Oklahoma Health Sciences Center
Rogers Building, Room 124
Office: (405) 271-2476
Fax: (405) 271-2181
Cell: (405) 343-0847
http://www.ouhsc.edu/it/security/
 
Confidentiality Notice
This e-mail, including any attachments, contains information from the
University of Oklahoma Health Sciences Center, which may be confidential
or privileged. The information is intended to be for the use of the
individual or entity named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited.
If you have received this e-mail in error, please notify the sender
immediately by a "reply to sender only" message and destroy all
electronic and hard copies of the communication, including attachments.
-----Original Message-----
From: Dick Jacobson [mailto:Dick.Jacobson () NDSU NODAK EDU] 
Sent: Wednesday, February 15, 2006 12:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Implementing a Public Key Infrastructure

On Wed, 15 Feb 2006, jack suess wrote:

I hate to ask but .... the comment below about "financial institutions" 
and "two-factor authentication".  Are Higher Ed institutions considered 
"financial institutions" for purposes of this mandate ?

> Internet2 has a number of PKI activities in place. Look at  
> middleware.internet2.edu. Jim jokl of U.Va is heading up the higher  
> ed PKI group (HEPKI). I2 is trying to help with some of the issues  
> related to CREN closing and higher ed PKI.
>
> Also Educause has a program where you can get discounts on trusted  
> PKI certs from different vendors, if you go through a 3rd party this  
> will save $$. Steve worona <sworona () educause edu> is the point of  
> contact at educause for this.
>
> Finally, last week I was at the net@edu conference. Both Jim and Nick

> Davis presented at a session there on their respective PKI role out.  
> There slides may be up under the net@edu conference.
>
> It was a very interesting discussion between U.VA, which has  
> developed their own CA, and U.Wisc that went through a 3rd party,  
> geotrust, for their implementation.
>
> What struck me in this discussion was the importance of understanding

> what you want to accomplish with PKI and making sure it fits your
plans.
> On face value it appears more costly to go with a commercial CA but  
> if you are only going to roll out certs to a small subset of your  
> population then the costs may be quite comparable. Wisconsin showed  
> that for its initial rollout of a few thousand certs it would have  
> cost more to do this internally than to outsource it when you add in  
> the cost of purchasing the CA and staffing. In addition, if key  
> escrow is critical to your plans you should build that in and that  
> may point to a commercial provider.
>
> On the other hand, UVA, VT, and MIT and others have all have done  
> their own CA and found some use out of it. Again, the question is  
> what your target application is and how broad the deployment will be.
>
> Finally, something that has not been mentioned often that you should  
> keep in the back of your mind. Starting in January 2007, the SEC has  
> mandated financial institutions doing online business with customers  
> MUST have two-factor authentication in place. People are still not  
> sure what that will mean in terms of specific implementation but it  
> is clear you will see a surge in alternate authentication schemes  
> coming out late this year by different financial institutions.
>
>
> jack suess
>
> On Feb 14, 2006, at 11:58 AM, Ricardo Lafosse wrote:
>
> > I have recently invested an ample amount of time in researching how

> > to implement a Public Key Infrastructure.  I am interested in  
> > knowing if anyone has had prior experience employing this practice  
> > and what difficulties were encountered?
> >
> >
> >
> > Thanks
> >
> >
> >
> >
> >
> > Ricardo Lafosse
> >
> > Systems Administrator
> >
> > Enterprise Computing Services
> >
> > Florida Atlantic University
> >
> > rlafosse () fau edu


----------------------------------------------------------------------- 
Dick Jacobson                   e-mail : Dick.Jacobson () ndus NoDak edu
ND HECN MultiUser Host SysAd    office : IACC 206, NDSU
NDUS IT Security Officer        phone  : 701-231-7385
-----------------------------------------------------------------------