November 4th meeting to discuss additional support for rolling out PDCs on eTokens to the entire university
Invitees |
Attendees |
Alaoui, Ismael |
Alaoui, Ismael |
Branscome, Patty |
|
Cornish, Carol |
Cornish, Carol |
Dunker, Mary |
Dunker, Mary |
Dustin, James |
Dustin, James |
Galligan, Frank |
Galligan, Frank |
Harvey, Michael |
|
Herrington, Karen |
Herrington, Karen |
|
Hurley, Carol |
Kelley, Cindy |
|
Kidd, Jeff |
Kidd, Jeff |
Krallman, John |
Krallman, John |
Kroll, Greg |
Kroll, Greg |
Landreth, Joyce |
|
Rodgers, Patricia |
Rodgers, Patricia |
Agenda
- Discuss potential demand for expanded locations and hours beyond what StuTel offers.
- Describe the process of issuing certificates.
- Describe the process of resetting an eToken PIN.
- Get buy-in (or rejections) from areas so we'll know which groups to contact if/when we need to expand.
- Support for Northern Virginia Graduate School.
- Karen Akers is head of the NOVA Center. Justin Davenport is the IT contact for entire area of the NCR. Jim Bohland is the Exec. Director of the NCR.
- Collecting blue eTokens.
- Escalation issues for workflow questions.
Meeting Notes
- Mary Dunker made an announcement about distributing eTokens to departments that had a need for them at the DCSS on October 21, 2008. To date, she has not received any takers except for the Graduate School, but received a comment about not being interested if it required filling out an IT project initiation form.
- Carol Cornish said that graduate school faculty and staff have received the 64K eTokens. It went smoothly and wait time was minimal.
- Mary Dunker mentioned that IT line managers (Erv and his direct reports) and Dwight Shelton, are experimenting with a certificate that provides a higher level of assurance than the current personal digital certificate.
- Note: the numbers below correspond to agenda items above.
- Current StuTel hours for getting an eToken are here http://www.pki.vt.edu/pdc/preparation.html. If demand becomes too great for this limited schedule, today's meeting is to discuss potential ways other IT units might help with issuance of eTokens.
- Ismael described the process of issuing eTokens and the various roles of those involved.
- Basically a two step, two station process, involving a Certification Authority Administrator (CA) and a Registration Authority Administrator (RA).
- John Krallman suggested, that since this is a two step process, as required by internal audit, perhaps we could use software distribution on the third floor of Torgersen for one station and then use the Innovation Space on the first floor for the second station.
- It was mentioned that the biggest disadvantage of this idea is that it is sure to anger some faculty members that are in a hurry and do not want to have to make the trip 3 floors up or down to complete the process.
- Before considering this idea as a potential solution Mary should check with internal audit.
- John's idea does not pose any technical issues for the Token Administration System (TAS) as it was designed for 2 station issuance. They are currently kept close together for customer convenience.
- On the positive side many thought having the 2 stations separate might be more secure, as the requirement to double check the customer photo ID would, perhaps, be more stringent.
- Another idea is for users to schedule appointments for getting an eToken, that way software distribution and innovation space could be ready for them.
- Neither software distribution or innovation space can commit to having both a CA and RA present at any point in time. Software distribution hours are currently 8:00 a.m. to 5:00 p.m. and Innovation Space are 10:00 a.m. to 8:00 p.m.
- Carol Cornish mentioned that out-of-state drivers licenses are checked against an official government book of licenses for authenticity.
- We want to provide good customer service however, there is a fie line between good customer service and what works best for StudentTelecommunications. To date, no appointments have been requested during the lunch hour.
- If we set user expectations properly, having separated stations may not be a problem.
- Inventory control issues.
- We do not have an inventory control process. TAS does provide a way to enter eToken inventory into its database. TAS keeps a record of the eTokens that are available and the eTokens that contain certificates.
- We need inventory processes and procedures.
- Need procedures for inventory at remote locations (other than StuTel). Accountability for eTokens coming in (for recycling) and going out (being issued).
- The way TAS is written each site (e.g., StuTel) has a site key used for encryption and used when issuing a certificate. If a certificate is issued using a particular site key then a PIN reset for that certificate must be done at the same site - only. Any other sites (e.g., 4Help) will not have the correct site key for unencryption and will be unable to reset the PIN.
- TAS can be enhanced to fix this restriction.
- Ismael described the process of resetting an eTokens PIN.
- Two forms of identification are required, one of which is a Hokie Passport, plus the eToken.
- Either the Certification Authority Administrator (CA) or Registration Authority Administrator (RA) can do this, it only requires one person.
- Student wage employee cannot reset PINs. Wage employees can, as long as they are not student wage.
- Scheduling at lunchtime (generally Noon to 1:00 p.m.)
- There are problems for most areas scheduling during lunch.
- RB14 receptionist may be a possibility however, there is only a small overlap in schedules.
- Revoking certificates.
- As eToken distribution and use grows we need documented procedures for revoking a certificate.
- We have discussed procedures in the past but there is nothing official.
- We need to assure the procedures work over the phone and can be performed by a single CA or RA.
- Karen Herrington mentioned that only a dean, director, department head, or IRM can request revoking someone else's certificate.
- See number 2 above. To summarize, Software Distribution, Innovation Space, the rB 14 receptioists and 4-Help would be good candidates for resetting passwords since that only requires one person. Each office would be willing to issue certificates if done by appointment. Since StuTel also issues certificates by appointment, they may be able to handle the demand for an issuance outside the standard hours, but adding more locations would be beneficial for convenience sake. Contacts: John Krallman, ITA; Jeff Kidd, RB 14; Pat Rodgers, 4Help and Student Telecommunications.
- NOVA support
- P14 faculty can receive eTokens (wage)
- P85 & P86 faculty cannot receive eTokens (out of state)
- Mary is hoping to get a list of names and an idea of the number of faculty that need eTokens in NOVA.
- Need further discussion of:
- Inventory control for eTokens for NOVA.
- Use of different site key.
- TAS requirements for issuing at NOVA, e.g., what roles are required remotely versus what roles can remain in Blacksburg.
- Due to driver installation issues some users issued new, green eTokens were told to keep their old, blue eToken.
- Be sure 4Help is aware of the issue and the fix and then request old, blue eTokens be turned back in at the next issuance in RB14.
- There is a potential issue. If someone used their blue eToken to encrypt data (say on their computer) they will need that blue eToken to unencrypt the data before turning the eToken back in.