[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: certification

To: Mark Sienkiewicz <mark@chokey.mo.md.us>
Subject: Re: certification
From: Greg Rose <ggr@qualcomm.com>
Date: Sun, 08 Mar 1998 07:20:26 +1100
cc: sage-members@usenix.org
In-reply-to: Your message of Sat, 07 Mar 1998 09:23:58 CDT. <199803071423.JAA05539@chokey.mo.md.us>
Sender: owner-sage-members@usenix.org

Mark Sienkiewicz writes:
>>I volunteer (as I have in the past) to do a
>>PGP merit badge course, and/or an SSH merit badge
>>course, or perhaps one covering both.
>
>Please describe the benefits of this approach.  How does it help
>me to have a PGP merit badge or an SSH merit badge?

I have two examples from real life.

1. a group which accepts information via a secure
Web form, but then wants to keep the information
secure; the info is PGP encrypted in the CGI
script and sent off to a "drop box" machine, which
accepts this stuff but otherwise doesn't talk on
the net. Being able to organise something like
this is not trivial, and not a common skill among
sysadmins.

2. QUALCOMM uses SSH extensively to allow people
travelling or using cable modems from home to
access the internal resources. We also have a
corporate policy that certain information can only
be discussed in email with PGP (even internally!).
We have SAs who have brought themselves up to
speed with these technologies, but if we ever need
to replace them, I could imagine a job ad saying
"Unix SA, with PGP/SSH, DNS, Cisco, and firewall
merit badges preferred."

That's what I had in mind, and I don't think it is
too far from what the SAGE Executive had in mind.

What would be in, for example, a PGP Merit badge?
It would start with a bunch of self-study
exercises.
- get and install PGP
- Create a key
- Import a bunch of other keys
  (so far these are all trivial)
- correspond with someone using PGP
- Implement a script keeps a directory of files
encrypted, and allows you to pull them out or put
them back one-at-a-time, but can remember your
password for a short period for when you need to
get at lots of them. (Probably some other script
application... this was the one that occurred to
me in haste, but the point was to embed PGP use in
a script in a non-trivial way)
- Get connected to the Web of Trust
- Create a revokation certificate for the key,
without publicly revoking it or stuffing yourself
up.

When the candidate felt up to it, there might be
a short test (say 1 hour) conducted under the
honour system. They'd ask for a test by email,
and get a set of somewhat randomised questions,
like...

1. Decrypt this file. Answer the question inside
it. Encrypt the reply to keyid 0x9BDAF223.

2. Explain in your own words the importance of the
Web of Trust.

3. Here is a real script using PGP. Explain the
options and configuration parameters, what they
do and why you think they are used in the
script.

(and a few more).

When the test was scored, the candidate
would/would not get a Merit badge (certificate)
and a record would be kept in case it needed to be
verified.

That's it, really.

Greg.

Greg Rose               INTERNET: ggr@qualcomm.com
QUALCOMM Australia      VOICE:  +61-2-9743 4646   FAX: +61-2-9736 3262
6 Kingston Avenue       http://people.qualcomm.com/ggr/ 
Mortlake NSW 2137       B5 DF 66 95 89 68 1F C8  EF 29 FA 27 F2 2A 94 8F

Follow-Ups:
- Re: certification
  - From: Stephen Potter <spp@psasolar.psa.pencom.com>
- Re: certification
  - From: Joseph S D Yao <jsdy@gwyn.tux.org>

References:
- Re: certification
  - From: Mark Sienkiewicz <mark@chokey.mo.md.us>

Prev by Date: Re: certification
Next by Date: RE: Teaching soft skills
Prev by thread: Re: certification
Next by thread: Re: certification
Index(es):
- Date
- Thread