Educause Security Discussion mailing list archives
Time and labor commitment to stand up a PKI
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 13 Jun 2012 14:02:46 -0400
Hi, We've gone without a PKI a long time because every use case that came up couldn't justify the outlay to stand up a PKI and alternatives were always found. Sometimes the concern over the operational costs and risks associated with failures overrode the perceived benefits. We're using Incommon for server certificates and plan to use them for user and code signing certificates. EFS certificates for the few places we implemented it were created on an ad-hoc basis and manually backed up. Once again, a use case has come up causing us to revisit the decision for a campus PKI. This time to support management of off-campus Windows computers through Microsoft's Direct Access feature. We currently manage almost all on-campus JMU owned Windows computers using SCCM/SUP and Secunia and would like to extend that to JMU owned computers off-campus. Given the Incommon services, I don't see a huge need for something on campus other than to handle machine certificates (for Direct Access and IPSEC) and possibly to help distribute Incommon user certificates. EFS and Bitlocker key management may enter the picture too but they're not strategic encryption options at this point. But maybe I'm missing something. I'd like to get a feel from those of you who have gone through this process of the time and labor commitments necessary to: 1) Get up to speed on the intricacies of implementing and operating a PKI. Frankly, I find it daunting. Sure, we could copy others' CPS, bring one up, and have it operating fairly quickly. But the complexities of merging technologies with business policies in things like certificate contents and practices statements and the somewhat questionable compatibility and finish of various "standards" and products concerns me. I'm very worried about what we don't know and I want to make sure we do it right the first time. 2) Actual implementation time and personnel commitments. 3) Ongoing operating, maintenance, and support time and costs. I'd also like to ask if you know of a consultant who has actually gone through this process in a higher education environment who helped you set up something that lasted through subsequent changes in use cases, policies, integrations, and product changes and that you'd recommend to others. We'd probably be implementing using the Microsoft Certificate Services product due to pricing and compatibility with the perceived primary use cases. Thanks in advance for any advice. -- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Time and labor commitment to stand up a PKI Gary Flynn (Jun 13)
- Re: Time and labor commitment to stand up a PKI Brian Desmond (Jun 13)
- Re: Time and labor commitment to stand up a PKI Gioia, Matthew P. (Jun 13)