and of course ... my standard response that it is possible to do digital signature authentication w/o requiring certificates .... aka corporate access can be done with radius or kerberos .... using digital signatures and certificates have nothing at all to do with it (aka frequent description that you just wave certificates over a bunch of bits and the rest is magic; digital signature?, digital signature!, we need no #$% digital sigatnures!!!).
http://www.computerworld.com/securitytopics/security/story/0,10801,76940,00.html Government Subpoena Sidelines PKI Project A court order sentences our security manager to two weeks of hard labor creating forensic images of employee hard drives. By MATHIAS THURMAN DECEMBER 23, 2002 Now that my company's wireless LAN project is under control and ready for deployment, I thought I could start my research project on public-key infrastructure (PKI). That was before the feds dropped by this week with a subpoena. But more on that in a moment. With regard to PKI, I have a feeling that once my company sees the costs involved, it will more than likely find some way of postponing or even killing the project. Until that decision is made, however, I'm pressing on with the feasibility study and will provide some pricing options to the executive staff. As part of the study, I plan to assemble a list of areas within the company that I feel could benefit from PKI. The obvious areas include e-mail, disk and file encryption, and virtual private network (VPN) access. To further assist me in determining other areas that would benefit, I've scheduled meetings with representatives from different departments. I need to understand all the enterprise applications being used within the company and get a feel as to how receptive key managers and employees will be to a PKI implementation. One of the traditional problems with PKI is that most people don't really understand the technology and how it could benefit them and their companies. Most of the time, each employee has his own idea or interpretation of what PKI is and what it can offer. By meeting with key individuals from each department, I can determine whether PKI might benefit each area. For example, in talking with a representative from the professional services group, I learned that we have a Web-based professional services automation (PSA) tool, which is currently accessed via a VPN connection from employee laptops. There is some frustration within the team, as some of our company engagements are in government facilities that don't allow us to use our laptops. They do, however, let our consultants use the government computer systems to access the Internet (go figure). PKI would allow our employees to obtain a short-term certificate that they could use to access the PSA tool. I've spent a considerable amount of time on wireless connectivity within the company. By using PKI, I can control wireless access by issuing certificates to those individuals who should be allowed access. The certificates can be stored in a Universal Serial Bus-type device that's small enough to fit on a key chain, or the certificates can be stored on the user's laptop. Once I get a handle on which departments and applications can benefit, I can formulate a request for information and submit it to a few PKI integrators. We hope to find one company that can handle all of our requirements. A PKI implementation will require a substantial amount of money, however, so at this point, I suspect that we will back off. .. snip .. -- Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm
