|
Information Security
< Previous Next >
re: Information security in FIX
Ryan Pierce / Townsend Analytics Ltd. / Archipelago LLC
3 Sep 2002 11:45AM ET > With regards to using PGP keys for authentication, is this a common practice in the financial industry? If it is, is also a norm to expire the keys after perhaps 1-2 years? I am curious how the keys are being managed ..
I really can't say if PGP is common in the financial industry in anything other than FIX.
The straight DES approach has issues because firms disagree on certain things, like how to handle the last encryption block. PGP-DES-MD5 is rather popular for FIX encryption, largely because I believe it is the only FIX security model that came with a useable code implementation, so interoperability is much easier.
I really think issues like key size, key expiration, CRLs, CA certificate issuing policies, and key management are well outside the scope of the FIX spec. Firms configure PGP in accordance with their firm's security policy; only the actual authentication and key exchange using PGP is governed by the FIX spec.
re: Information security in FIX
Ryan Pierce / Townsend Analytics Ltd. / Archipelago LLC 3 Sep 2002 11:45AM ET
|
