Re: SSL scaling

[Jack Suess <jack () UMBC EDU>]

DigiCert has improved their offering considerably once the InCommon programs was released. That is great news, our goal 
at InCommon was to change the marketplace. Choice is good, as you compare companies with incommon look at these points.

Two things to look at for any long term deal:

1) EV certs will increase in importance. You want your domain name highlighted on important sites that are potential 
targets of phishing attacks. INcommon throws these in for free, some companies charge individually for these, in some 
cases this is quite high in cost. At UMBC all my high visibility sites will be moving to EV, this is dozens of EV 
certificates.

2) personal (client) certs will likely explode in usage. Mobile computing authentication, digital signatures, 802.1x, 
and improving security beyond text based passwords will mean that over the next few years you will probably see each 
person having multiple client certs. These are free with InCommon.  For client certs we include key escrow at no 
additional cost.

Hgher Ed is the only group InCommon we offer the CERT service too.  InCommon's offering is driven by a PKI subcommittee 
composed of security people and PKI experts from higher Ed institutions. We are making sure our offering meets higher 
Ed needs because you are the only group we care about.

Please look at the InCommon offering, we are trying to meet higher ed's needs and find ways to  use certificates to 
really enhance security practices in higher Ed. To do that we need people to look at the big picture of where we are 
trying to take this service and help us mold the effort to meet your needs.

Jack Suess
UMBC Division of Information Technology (DoIT)

On Jun 16, 2011, at 11:58 AM, "Hubert, Wesley R" <whubert () KU EDU> wrote:

> DigiCert is offering our school a fixed-price managed PKI service with
> unlimited SSL and individual client certificates. We're still in process
> reviewing this, but the company has been a joy to work with in the past.
> They're also ranked 5 stars (on a 5-point scale) at SSL Shopper (
> http://www.sslshopper.com/certificate-authority-reviews.html ). --Wes
>
> -- Wes Hubert <whubert () ku edu>
> Information Security Analyst, Information Technology
> University of Kansas, Lawrence KS 66045
>
>
>
> On 6/15/11 10:47 AM, "Michael A. Smith" <msmith64 () ZIMBRA NAZ EDU> wrote:
>
> > We currently use a vended managed PKI portal that allows us to issue SSL
> > certs to internal customers when they roll out a website, but its costs
> > increase almost linearly with the size of our web portfolio. With the way
> > the web is moving, I don't think this linear growth is sustainable. What
> > solutions are in place and recommended among small to medium institutions
> > for managing SSL certificates? Is a wild card cert the only way to manage
> > this growth?
> >
> > I confess when I first moved to Higher Ed I was surprised to find that
> > Educause itself doesn't operate in the CA space. After it has vetted an
> > institution for a .edu domain, the process for validating that
> > institution's identity is already shortcut, is it not?
> >
> > (I apologize if this is a FAQ. I've been unable to access the
> > listserve.educause.edu site to research the archives for some reason.)
> >
> > Best wishes,
> > Michael A. Smith
> > Web & Digital / Academic Technologies Manager
> > Nazareth College