Educause Security Discussion mailing list archives
Re: SSL scaling
From: Jack Suess <jack () UMBC EDU>
Date: Fri, 17 Jun 2011 07:26:49 -0400
DigiCert has improved their offering considerably once the InCommon programs was released. That is great news, our goal at InCommon was to change the marketplace. Choice is good, as you compare companies with incommon look at these points. Two things to look at for any long term deal: 1) EV certs will increase in importance. You want your domain name highlighted on important sites that are potential targets of phishing attacks. INcommon throws these in for free, some companies charge individually for these, in some cases this is quite high in cost. At UMBC all my high visibility sites will be moving to EV, this is dozens of EV certificates. 2) personal (client) certs will likely explode in usage. Mobile computing authentication, digital signatures, 802.1x, and improving security beyond text based passwords will mean that over the next few years you will probably see each person having multiple client certs. These are free with InCommon. For client certs we include key escrow at no additional cost. Hgher Ed is the only group InCommon we offer the CERT service too. InCommon's offering is driven by a PKI subcommittee composed of security people and PKI experts from higher Ed institutions. We are making sure our offering meets higher Ed needs because you are the only group we care about. Please look at the InCommon offering, we are trying to meet higher ed's needs and find ways to use certificates to really enhance security practices in higher Ed. To do that we need people to look at the big picture of where we are trying to take this service and help us mold the effort to meet your needs. Jack Suess UMBC Division of Information Technology (DoIT) On Jun 16, 2011, at 11:58 AM, "Hubert, Wesley R" <whubert () KU EDU> wrote:
DigiCert is offering our school a fixed-price managed PKI service with unlimited SSL and individual client certificates. We're still in process reviewing this, but the company has been a joy to work with in the past. They're also ranked 5 stars (on a 5-point scale) at SSL Shopper ( http://www.sslshopper.com/certificate-authority-reviews.html ). --Wes -- Wes Hubert <whubert () ku edu> Information Security Analyst, Information Technology University of Kansas, Lawrence KS 66045 On 6/15/11 10:47 AM, "Michael A. Smith" <msmith64 () ZIMBRA NAZ EDU> wrote:We currently use a vended managed PKI portal that allows us to issue SSL certs to internal customers when they roll out a website, but its costs increase almost linearly with the size of our web portfolio. With the way the web is moving, I don't think this linear growth is sustainable. What solutions are in place and recommended among small to medium institutions for managing SSL certificates? Is a wild card cert the only way to manage this growth? I confess when I first moved to Higher Ed I was surprised to find that Educause itself doesn't operate in the CA space. After it has vetted an institution for a .edu domain, the process for validating that institution's identity is already shortcut, is it not? (I apologize if this is a FAQ. I've been unable to access the listserve.educause.edu site to research the archives for some reason.) Best wishes, Michael A. Smith Web & Digital / Academic Technologies Manager Nazareth College
Current thread:
- Re: SSL scaling, (continued)
- Re: SSL scaling John Ladwig (Jun 15)
- Re: SSL scaling Flynn, Gary - flynngn (Jun 15)
- Re: SSL scaling Jay Fowler (Jun 15)
- Re: SSL scaling Frazier, William S [ITSYS] (Jun 15)
- Re: SSL scaling John Ladwig (Jun 15)
- Re: SSL scaling Frazier, William S [ITSYS] (Jun 15)
- Re: SSL scaling King, Ronald A. (Jun 15)
- Re: SSL scaling Jack Suess (Jun 15)
- Re: SSL scaling Hubert, Wesley R (Jun 16)
- Re: SSL scaling Michael Fertig (Jun 17)
- Re: SSL scaling Kevin Halgren (Jun 21)
- Re: SSL scaling Jack Suess (Jun 17)
- Re: SSL scaling Andy Hooper (Jun 20)
- Re: SSL scaling Michael Fertig (Jun 17)