RE: Yes, I am still alive (Lower Cost - Action Plan)

[<Smith.Ross@tbs-sct.gc.ca>]

OK Steve - Here is the revised document, with the changes you suggested.  I hate to include arbitrary dates though, and then pass it off to someone else to do the work.  I am hoping the sub-committee can agree to a reasonable schedule.  (I think the level of effort required for this item is substantial.)

With respect to your final comment....
"> We already have some info on the relative importance
> of various PKI costs from our follow-up survey. I think
> that's enough to get the best practices survey going.
> We can always include more questions about costs
> in the best practices survey if we need more info.
> Speaking from experience, each survey takes a lot of
> time and effort for all parties. I'd rather avoid
> having to do two surveys on this one after the other.

I understand where you are coming from, but I'm not convinced we have enough objective data to make a reasonable determination as to what the relative costs of PKI are, which ones are considered to be  "too high" (and why), or how high is "too high".  

Good Luck everyone.
Ross

 <<Impl Plan for LowerCosts 0.01.doc>> 

Ross Smith
PKI Secretariat | Secrétariat de l'ICP
IT Security (ITS) | Sécurité des TI (STI)
Chief Information Officer Branch | Direction du dirigeant principal de l'information
Treasury Board of Canada, Secretariat | Secrétariat du Conseil du Trésor du Canada
Ottawa, Canada K1A 0R5
613-946-7735 | Smith.Ross@tbs-sct.gc.ca | facsimile/télécopieur 613-946-9893




 -----Original Message-----
From: 	Steve Hanna [mailto:Steve.Hanna@Sun.COM] 
Sent:	January 16, 2004 4:36 PM
To:	Smith, Ross
Subject:	Re: Yes, I am still alive

Sounds good. We should be able to get it out
to the PKI TC early next week.

Thanks,

Steve

Smith.Ross@tbs-sct.gc.ca wrote:
> 
> I agree, I think we are pretty close.  I'll clean up the action plan and get it back to you over the weekend.
> 
> Ross
> 
> Ross Smith
> IT Security (ITS) | Sécurité des TI (STI)
> Chief Information Officer Branch | Direction du dirigeant principal de l'information
> Treasury Board of Canada, Secretariat | Secrétariat du Conseil du Trésor du Canada
> Ottawa, Canada K1A 0R5
> 613-946-7735 | Smith.Ross@tbs-sct.gc.ca | facsimile/télécopieur 613-996-1476
> 
>  -----Original Message-----
> From:   Steve Hanna [mailto:Steve.Hanna@Sun.COM]
> Sent:   Thursday, January 15, 2004 2:03 PM
> To:     Smith, Ross
> Subject:        Re: Yes, I am still alive
> 
> That phone exchange was odd, eh? Anyway, I think
> we have almost resolved this by email. I have
> included my responses below. Please review these
> and get back to me tonight by email to let me
> know if you think we're in good shape. If so,
> we can skip the phone call tomorrow morning and
> one of us (you or I) can prepare a revised draft
> of the Implementation Plan reflecting this discussion.
> 
> Thanks,
> 
> Steve
> 
> Smith.Ross@tbs-sct.gc.ca wrote:
> > >   I see the best practices part. That's the
> > >   letters/questionnaires/surveys. But I don't
> > >   see the low cost software piece. How would we
> > >   do that? I'd say gather customers who want
> > >   such software, agree on requirements, and
> > >   approach vendors (and open source communities)
> > >   to get bids. An RFP process, I guess you'd say.
> > >   Does that make sense to you?
> > >
> > RS - I hadn't thought of it like that.  I like the idea of gathering requirements. I assume you mean 'functional' requirements.  I think that makes sense.  I'm not sure about the RFP like process.  Would vendors go for that?  I guess we have enough representation on the TC to answer that.  How would we deal with the open source community in that scenario?
> 
> Yes, functional requirements is what I mean but
> also any other requirements: support, etc. I don't
> know if vendors would like this or not. As you
> say, the PKI TC is a good place to find out.
> The Open Source community would be able to bid
> just like anyone else. Some people will take
> cash to make improvements to Open Source code
> and release those improvements back to the
> Open Source codebase. All good questions.
> 
> > > * On the best practices piece, the questions
> > >   you proposed to ask in the survey don't seem
> > >   directed at best practices. Am I missing something?
> > >
> > RS - No, I'm missing something.  I just very quickly rattled some examples off the top of my head.  We definitely need questions related to best practices.  A good deal of work needs to go into the questionnaire.
> 
> OK, fine. I suggest that you remove the list of
> questions then and just say "questions on best
> practices for cost reduction in PKI deployments".
> 
> I also suggest that you remove details from
> other items in the Implementation Plan that
> contain straw man lists (like the list of
> PKI costs).
> 
> And you need to add dates to at least some of
> the items in the plan.
> 
> > > * What is the analysis of PKI costs for? It's
> > >   probably useful, but I don't know what role
> > * it plays in the plan.
> >
> > RS - If the goal is to lower costs, we need to understand where the costs are coming from.  CA software acquisition is just one part of it.  If we significantly reduce that one cost, but there are other costs that are also too high (or perceived to be), we will have accomplished little.
> > In my mind, I saw the initial analysis feeding the questionnaire for best practices.
> 
> We already have some info on the relative importance
> of various PKI costs from our follow-up survey. I think
> that's enough to get the best practices survey going.
> We can always include more questions about costs
> in the best practices survey if we need more info.
> Speaking from experience, each survey takes a lot of
> time and effort for all parties. I'd rather avoid
> having to do two surveys on this one after the other.

Impl Plan for LowerCosts 0.01.doc